Redmond security guru explains IE vuln miss

A Microsoft insider has posted an explanation for the firm's failure to spot a critical flaw in Internet Explorer that obliged the firm to publish an out-of-sequence patch earlier this month.

Michael Howard, a principal security program manager with the software giant, explains that the flaw cropped up in a blind-spot developers weren't trained to scour for potential flaws. Human error is always a factor in developing secure code and sometimes fuzzing tools can help unearth error. Unfortunately, in this case, testing tools weren't up to the job either.

Howard explained that the flaw involved a "time-of-check-time-of-use" bug in how Internet Explorer handles data binding objects. "Memory-related [time-of-check-time-of-use, or TOCTOU] bugs are hard to find through code review," Howard writes in a post to Microsoft's Security Development Lifecycle blog. "We teach TOCTOU issues, and we teach memory corruption issues, and issues with using freed memory blocks; but we do not teach memory-related TOCTOU issues."

Automated tools that throw a range of tests data at applications in order to look for problems also came unstuck, he adds.

"In theory, fuzz testing could find this bug, but today there is no fuzz test case for this code. Triggering the bug would require a fuzzing tool that builds data streams with multiple data binding constructs with the same identifier. Random (or dumb) fuzzing payloads of this data type would probably not trigger the bug, however."

Microsoft's security testers plan to update their testing methodology in order to look more closely for the class of vulnerability exploited by the recent IE flaw. Howard's technically literate post goes on to explain how defences built into Vista and Server 2008 mitigated against the bug. The post, which provides coding examples, illustrates the inherent problems of security testing, an issue developers well away from Redmond are obliged to grapple with every day

Need a Ride? Check Your iPhone

SOON you may no longer need to stick out your thumb to catch a ride. Instead, you may get one by tapping your fingers on your iPhone.

Avego, based in Kinsale, Ireland (www.avego.com), is demonstrating an iPhone application intended to let drivers and prospective passengers connect and share rides.

When the program is available, drivers who want to offer rides will first download the app, then record their preferred route, said Sean O’Sullivan, managing director of Avego and executive chairman of Mapflow, Avego’s parent company, based in Dublin.

“You put the iPhone on the dashboard, and it records the entire trip and sends the route to our network,” he said. The system stores the route, adding it to its menu of paths and pick-up points and offering them automatically to interested riders.

Drivers must have an iPhone in order to use the service, but if passengers don’t, they will be able to look for a ride on the Avego Web site or call or send a text message, Mr. O’Sullivan said. Drivers and riders can identify one another by photographs displayed on their iPhones, as well as by PINs that verify identities and authorize the transaction.

Avego will charge 30 cents a mile, he said, with 85 percent going to the driver to recover some of the commuting costs and 15 percent to the company. All payments will be handled by automated online accounting.

It will take a while to establish a critical mass of drivers and passengers, Mr. O’Sullivan acknowledged. But he hopes that the chance to defray expenses will change the entrenched habits of many drivers who treasure their solitude. “It will require behavior changes on the part of drivers and riders,” he said.

Although there is anecdotal data that carpooling rose during the recent spike in gasoline prices, American drivers have historically preferred solo trips. About three-quarters of workers in the United States drive alone, said Dr. Mark Mather, associate vice president for domestic programs at the Population Reference Bureau, a research organization in Washington.

From 1980 to 2007, workers were carpooling in decreasing numbers, he added. About 20 percent of workers carpooled in 1980, versus just 10 percent last year. “Trip chaining — running errands on the way to and from work,” was part of the reason, he said. “You can’t do that if you are with five other people.” Dr. Mather’s figures are based on the 2007 American Community Survey of the Census Bureau.

But systems like Avego’s might work for people who don’t want to commit to a daily carpool, yet at the last moment decide that they are willing to share on a particular day, said Susan Heinrich, the 511 ride-share and bicycling coordinator at the Metropolitan Transportation Commission in Oakland, Calif. (The service, which uses the 511 phone listing, offers transportation information and ride-sharing resources for nine counties in the San Francisco Bay Area.)

Ms. Heinrich particularly likes Avego’s combination of text messages and colorful mapping. “I also like it that passengers do not need to have an iPhone to use this system,” she said. “I would love to incorporate this technology somehow within our services in the Bay Area.”

At University College Cork in Ireland, Stephan Koch, commuter plan manager, is giving Avego a trial early next year. The university has about 17,000 students and 2,600 staff members, he said; about 70 percent of the staff members use a car to get to the campus, as do about 36 percent of the students. “But the road capacity simply isn’t there,” he said of the often clogged, tortuous commute.

Mr. Koch hopes that Avego’s system, which he calls “computer-driven hitchhiking,” will help, in conjunction with bicycling facilities, improved public transportation and other initiatives.

“This is another option for staff and students other than a single-occupancy car on their daily commute,” he said. “The second person won’t need to bring a car, and there’s one less car in the carpark and on the road.”

A FREE ride-sharing application for the iPhone, Carticipate (www.carticipate.com), was released in October, and already has had more than 10,000 downloads, said Steffen Frost, chief executive of Carticipate in San Francisco.

After you register with Carticipate and set up a profile, he said, “other people with iPhones that have the application can search for you and find you.”

A prospective passenger will see, for instance, that someone is going to Poughkeepsie, N.Y., he said, and read the profile. “If they are comfortable with that and want a ride, they can organize from there,” he said. “We are a matching service.”

Hendrik J. Hilbolling, who lives in The Hague in the Netherlands, uses Carticipate regularly. “My lover lives in France and I go there frequently,” he said. Through Carticipate, he shared one of his recent trips to Paris, as well as the expenses for the journey, with a teacher and a film director.

“Trains are expensive,” he said. “This is a nice ride, we can talk, and this way is much cheaper.”

A Gift for Your Computer

At this time of year, many people ask about the right computer to buy — the Consumer Electronics Association reports that laptops are at the top of the wish list for electronics aficionados this holiday season. But, assuming you’re gifting yourself and not another, sometimes the right answer is not to buy a new computer.

If your Toyota’s running sluggish, a tune-up might be in order. Same with a sluggish PC. Of course, there are old computers, and then there are old computers. The best maintenance can’t fix a dated processor, limited memory or inadequate storage capacity. But for computers that ran well a year or six months ago and have since bogged down, a spring (or in this case, winter) cleaning may speed up the machine.

One option I’ve come across (there are many available) is from Symantec, the PC security people, who sell Norton branded products. To promote its paid services, the company is offering a free “NortonLive PC Checkup” for Windows computers that assesses basics like the processor’s speed and performance and notes any issues, including those involving security.

Of course, that’s a teaser, but Symantec will sell PC owners a full tune-up for about $40 — which they say is close to half off the usual price — in which a technician will reach into the machine (remotely) and analyze and repair problems. The deal is good until Jan. 4. Granted, there’s not much sex appeal in that gift, but it might save you enough money for a mini-spree at Saks.