Single misplaced '&' caused latest IE exploit

Microsoft blog admits extra ampersand led to security bug exploited by hackers since early July.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
Lance Whitney
2 min read

A security hole in Internet Explorer that opened the browser to hackers since early July was caused by a single typo in Microsoft's code.

An errant ampersand ("&") took the blame for the exploit, admitted Microsoft in a blog published Tuesday at its Security Development Lifecycle (SDL) Web site.

Michael Howard, a security program manager at Microsoft, explained in his blog that the typo corrupted the code of an ActiveX control used by the browser. The control was created by Microsoft using an older library of code, which Howard admitted has flaws. Because of those flaws, the typo caused the code to write untrusted data, exposing the browser to the bad guys.

Outside of its regular Patch Tuesday routine, Microsoft issued an emergency fix for IE, which it said would block attempts to exploit the flaw in ActiveX controls.

Development tools like Microsoft's own Visual Studio use the same library of code, known as Active Template Library (ATL). On the same day it released the emergency patch for IE, the company also released a Visual Studio fix.

Howard said the typo would have been difficult to spot in a review of the code, and that none of Microsoft's code analysis methods would have uncovered it either.

In his blog, Howard played a high-tech version of "Where's Waldo?" by challenging readers to find the typo amid a few short lines of code, even hinting that it was a single character.

The code lines he listed were:
__int64 cbSize;
hr = pStream->Read((void*) &cbSize, sizeof(cbSize), NULL);
BYTE *pbArray;
HRESULT hr = SafeArrayAccessData(psa, reinterpret_cast(&pbArray));
hr = pStream->Read((void*)&pbArray, (ULONG)cbSize, NULL);

And his riddle for readers:
"I'll give you one more clue - it's a one character typo. Give up? Look at the last line. The first argument is incorrect. It should be: hr = pStream->Read((void*)pbArray, (ULONG)cbSize, NULL);"

The hole was originally uncovered earlier this month by a pair of German researchers. Thomas Dullien (also known as Halvar Flake), CEO of Zynamics GmbH, and his friend Dennis Elser detailed their discovery in a blog. After the exploit became known, the two did some digging into the code and found the unwanted "&" character.

So what will Microsoft do to guard against future typos?

In his blog, Howard acknowledged the need to clean up the company's coding process. He said that Microsoft will update the tools it uses to find these types of errors. The company will also require its programmers to use the newer ATL code. In the past, Microsoft never told its programmers what to use. But says Howard in his blog, "We're going to change that!"