System and method for identifying potential security risks in controls

US 20040025043A1
Filed: 05/22/2002
Published: 02/05/2004
Est. Priority Date: 05/22/2002
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for identifying a potentially harmful software object, comprising:

identifying a plurality of interesting controls out of a plurality of software objects that have been installed, the plurality of software objects being associated with a software program of interest, each interesting control having one or more characteristics that potentially allows the computer system to be subjected to a security risk upon execution of the interesting control on the computer system.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a system and method for tracking and verifying that controls associated with an application of interest do not present a potential security risk. The method includes identifying controls of interest by determining which installed software objects associated with the application of interest exhibit certain characteristics, such as being publicly creatable, being designated as safe, and providing a security-related interface. Once the controls of interest are identified from the installed software objects, information associated with each control is obtained and stored. Each time the software program of interest is modified and re-installed, the information is updated to reflect the modifications. Additional information is also stored with the information. The information and the additional information may be provided to a browser for display and may be modified by a user to describe a present state associated with the control of interest (i.e., tested, untested).

50 Citations

View as Search Results

30 Claims

1. A computer-implemented method for identifying a potentially harmful software object, comprising:
- identifying a plurality of interesting controls out of a plurality of software objects that have been installed, the plurality of software objects being associated with a software program of interest, each interesting control having one or more characteristics that potentially allows the computer system to be subjected to a security risk upon execution of the interesting control on the computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer-implemented method of claim 1, wherein identifying the plurality of interesting controls includes:
    - identifying a first set of objects;
      
      comparing the first set of objects with a second set of objects to identify at least one duplicate object, the second set of objects being software objects that were installed on the computer system before installing the software program of interest;
      
      creating a third set of objects from the first set of objects by removing the at least one duplicate object from the first set of objects;
      
      creating a subset of objects from the third set of objects, the subset of objects each having a first characteristic that allows public creation.
  - 3. The computer-implemented method of claim 2, wherein identifying the first set of objects comprises reviewing entries in a registry.
  - 4. The computer-implemented method of claim 2, wherein identifying the first set of objects comprises reviewing entries in a file system.
  - 5. The computer-implemented method of claim 1, further comprising forcing software objects in the software program of interest to install so that identifying the plurality of interesting controls includes identifying software objects that were not installed when the software program of interest was installed.
  - 6. The computer-implemented method of claim 5, wherein forcing software objects in the software program to install includes identifying a software module associated with each object in the first set of objects, loading the software module, identifying a new object, and adding the new object to the subset of objects, the new object not existing in the first and second set of objects.
  - 7. The computer-implemented method of claim 1, wherein identifying the plurality of interesting controls is based on whether the interesting control includes a designation as safe, the designation as safe being one of the characteristics.
  - 8. The computer-implemented method of claim 7, wherein the designation of safe is determined by reviewing a registry.
  - 9. The computer-implemented method of claim 7, wherein the designation of safe is determined by instantiating an object in the fourth set of objects, and upon instantiation failure, designating the object as safe.
  - 10. The computer-implemented method of claim 7, wherein the designation of safe is determined by checking whether a security interface is supported.
  - 11. The computer-implemented method of claim 1, further comprising storing information associated with the interesting controls.
  - 12. The computer-implemented method of claim 11, further comprising providing a user-interface for displaying the information, the user-interface being accessible using a browser and providing a mechanism for approving changes associated with the plurality of interesting controls.
  - 13. The computer-implemented method of claim 1, wherein the plurality of interesting controls include ActiveX controls.

14. A system for tracking and verifying that controls have been tested for security concerns, comprising:
- a client computer configured to identify a plurality of interesting controls and to obtain information associated with the plurality of interesting controls, the plurality of interesting controls being identified from installed software objects;
  
  a server computer configured to receive the information from the client computer and to store the information in a database; and
  
  a plurality of user computers configured to submit requests to the server computer and to receive a rich set of information for display in a browser executing on the user computer, the rich set of information allowing changes in the interesting controls to be tracked and verified.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The system of claim 14, wherein the rich set of information includes a developer sign-off field that is modifiable to indicate a development status.
  - 16. The system of claim 14, wherein the rich set of information includes a tester sign-off field that is modifiable to indicate a test status.
  - 17. The system of claim 14, wherein the server computer is configured to receive the information over HTTP.
  - 18. The system of claim 14, wherein requests include information requests and update requests, the information requests being sent via an HTTP GET request to obtain the rich set of information and the update request being sent via an HTTP POST to update the database based on modifications to the rich set of information.
  - 19. The system of claim 14, wherein the client computer is further configured to send a modify request to the server computer indicating a change in the plurality of interesting controls and wherein the server computer is further configured to update the database based on the modify request.
  - 20. The system of claim 14, wherein the plurality of interesting controls includes ActiveX controls.
  - 21. The system of claim 14, wherein the server computer includes the client computer.

22. A computer-implemented method for tracking and verifying that controls have been tested for security concerns, comprising:
- extracting information pertaining to a plurality of controls after a software program having a plurality of software objects has been installed on a computer system, the plurality of controls being a subset of the plurality of software objects;
  
  storing the information in a database;
  
  retrieving the information upon request;
  
  displaying the information, along with additional information, in a browser, the additional information providing a mechanism for tracking and verifying that controls have been tested for security concerns;
  
  updating the additional information through the browser; and
  
  updating the database based on the additional information updated through the browser.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
- - 23. The computer-implemented method of claim 22, wherein the additional information includes a developer sign-off field that is modifiable to indicate a development status.
  - 24. The computer-implemented method of claim 22, wherein the additional information includes a tester sign-off field that is modifiable to indicate a test status.
  - 25. The computer-implemented method of claim 22, wherein the plurality of controls are publicly creatable.
  - 26. The computer-implemented method of claim 22, wherein the plurality of controls includes a designation of safe associated with the control.
  - 27. The computer-implemented method of claim 26, wherein the designation of safe appears in a registry.
  - 28. The computer-implemented method of claim 26, wherein the designation of safe is based on an interface provided by the control.
  - 29. The computer-implemented method of claim 28, wherein the interface includes an IObjectSafety interface and a unique interface identifier.
  - 30. The computer-implemented method of claim 22, wherein the plurality of controls includes ActiveX controls.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Landauer, Lawrence G., Akhtar, Imran, Gallagher, Thomas P.

Granted Patent

US 7,577,941 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

G06F 21/51 at application loading time...

G06F 21/577 Assessing vulnerabilities a...

System and method for identifying potential security risks in controls

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

50 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for identifying potential security risks in controls

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links