Security Considerations: Microsoft Windows Controls
This topic provides information about security considerations related to the Windows controls. The information in this topic does not provide all you need to know about security issues—use it as a starting point and reference for this technology area.
Interconnectivity among computers is common; a developer's chief concern must be application security. The following sections discuss some potential security issues to consider when programming Windows controls.
- Null-terminated Control Messages
- String Use
- Input Validation
- Password Use
- Security Alerts
- Related topics
Null-terminated Control Messages
Many of the control messages and macros have string parameters. Often these messages do not validate the input strings, in particular, they do not check for a terminating
'\0'. When you call a message that uses a string as a parameter, explicitly specify that the string is null-terminated.
When you program Windows controls, it is necessary to manipulate strings. Almost every control requires text to be inserted. For example, to populate a list box you must load strings into the control. Because using strings incorrectly often causes buffer overruns, take precautions to avoid this security risk.
For more information about buffer overruns, see Writing Secure Code by Michael Howard and David LeBlanc, Microsoft Press, 2002 and Best Practices for the Security APIs.
The following control messages can present security problems.
If the text changes between the call to get the text length and the time the text is displayed or used, a buffer overrun can occur. To avoid this, you must validate the string before using it. In addition, the messages that retrieve text, CB_GETLBTEXT, TB_GETBUTTONTEXT, and TTM_GETTEXT, have no buffer size parameter that presents the potential for a buffer overrun.
When you use CB_GETLBTEXT or SB_GETTEXT, you should first call CB_GETLBTEXTLEN or SB_GETTEXTLENGTH to obtain the buffer size. Some of these messages, TB_GETBUTTONTEXT, LVM_GETISEARCHSTRING, and TVM_GETISEARCHSTRING, can be called with a NULL parameter value to obtain the length of the string before invoking the message to retrieve the string.
A message that you should pay particular attention to is the status bar SB_GETTIPTEXT message. This message provides no way to query the length of the string that is to be retrieved.
If you use password-protected edit controls (ES_PASSWORD style), the buffer that contains the retrieved text must be set to zero as soon as possible to avoid exposing the user's password in memory.
The following table lists features that, if used incorrectly, can compromise the security of your applications. The messages listed here do not provide a parameter that specifies the buffer size.
|DlgDirListComboBox||Make sure the buffer used by the function can be written to and is null-terminated.|
|CB_GETLBTEXT||Call CB_GETLBTEXTLEN to obtain the buffer size, and then call CB_GETLBTEXT to retrieve the string.|
|LVM_GETISEARCHSTRING||Call the message with a NULL parameter value to obtain the buffer size, and then call the message a second time to retrieve the string.|
|SB_GETTEXT||Call SB_GETTEXTLENGTH to obtain the buffer size, and then call SB_GETTEXT to retrieve the string.|
|TB_GETBUTTONTEXT||Call the message with a NULL parameter value to obtain the buffer size, and then call the message a second time to retrieve the string.|
|TTM_GETTEXT||This message does not provide a way for you to know or specify the size of the buffer.|
|TVM_GETISEARCHSTRING||Call the message by passing a NULL parameter value to obtain the buffer size, and then call the message a second time to retrieve the string.|