Why Windows Vista is unaffected by the VML Bug

MS07-004 does not affect Windows Vista, even though the coding bug is there. Why?

The bug is an integer overflow calling C++ operator::new, but the affected component vgx.dll is compiled with the C++ compiler available in Visual Studio 2005 that automatically detects integer overflows at runtime. All of Windows Vista is compiled with this compiler.

You can read more about this compiler change in a previous blog.

The moral of this story is developers will never find all code-level security bugs, so you need other defenses. Just in case!

Comments (12)

  1. Guillaume says:

    Good news !

    But I wonder : while not a security issue, it is still a bug. Do you know what is Microsoft’s patching policy in this case ?

    If this bug sets the trend, it will only be corrected in the next release of vgx.dll, either via some unfortunate security issue or a service pack.

    ps: I loved the SDL book !

  2. Weber Ress says:

    Hi Michael,

    And about Visual C++ Express Edition ? Have the same control of integer overflows at runtime ? I search the Express documentation, but I don’t found information about this feature.

    Best !

    Weber Ress

  3. Guillaume, we issue security patches for security bugs only 🙂

  4. Susan says:

    Release candidate is though.


    This update addresses the vulnerability discussed in Microsoft Security Bulletin MS07-004. To find out if other security updates are available for you, see the Overview section of this page.

  5. Dean Harding says:

    Guillaume: It’s not a bug at all in the case of Vista. You’re passing in what is essentially invalid VML. That Vista fails to load it is perfectly fine. That Windows XP (et al) DO NOT fail is where the bug is.

    At least, that’s how I understand it.

  6. Im Webcast über " Security-Helferlein " war es noch die graue Theorie, hier ein Beispiel aus der Praxis:

  7. Traduction française du billet de Michael HOWARD : Why Windows Vista is unaffected by the VML Bug Le

  8. [Default] Spotlight on: Windows Vista Innovate on Windows Vista Innovate on Windows Vista helps fast-track

  9. Dave says:

    How does the Visual Studio compiler’s security protection compare with, say GCC’s ‘-fstack-protector’ and ‘-D_FORTIFY_SOURCE’ options?

  10. Dave, first -GS (stack protection) is enabled by default, is it enabled by default in GCC? second, the fortify source sounds like something we have in the VC++ 2005 http://blogs.msdn.com/michael_howard/archive/2005/02/03/366625.aspx