February 14, 2002 8:15 AM PST
Flaw spotted in new Microsoft tool
The security problem is said to lie with the compiler that accompanies the new Visual C++.Net, just one of several tools included in Visual Studio.Net that Microsoft shipped Wednesday. Visual Studio.Net comprises new versions of the company's software development tools, including Visual Basic, Visual C++ and its new Java-like language, C#.
Software security company Cigital says the compiler contains a flaw that can allow an attack called a "buffer overflow" to be initiated. A compiler is software that translate the code that programmers write into the language that computers understand.
It is ironic that Microsoft may have created the flaw in trying to stop another type of security risk. That risk involves buffer overflows, which allow a specially formatted command to cause a computer to crash or execute arbitrary or malicious code.
"There's this place called a stack where you keep track of which function calls which (other) function. The stack holds all sorts of information (such as) local variables and pointers to places," said Gary McGraw, chief technology officer at Dulles, Va.-based Cigital, discoverer of the problem.
"A buffer overflow is a way of causing the return of address, where the program is going to go, after a subroutine is finished, to go to an attacker code," McGraw said.
Microsoft said that the matter was not a cause for great alarm.
"This appears to be a relatively narrow and technical deficiency that we are in the process of investigating. We don't know any more right now because this was only reported to us yesterday," said Jim Desler, a Microsoft spokesman.
"In products related to .Net, we take security very seriously and have done so through the development process of these products," he said.
Because the software was just released, it is unlikely that it presents a serious problem right now, McGraw said.
"This is pretty complicated--it's not easy for people to do--but this is a flaw in a tool meant to produce software," McGraw said. "If (developers) rely on this security feature, they will have a false sense of security.
As yet, there have been no reports of problems from developers. Although the tool bundle was released Wednesday, Microsoft said that more than 3.5 million developers had beta test copies of Visual Studio.Net. It was the largest beta test program in Microsoft's history.
In its attempt to prevent a buffer-overflow attack, Microsoft apparently adopted a technology known as StackGuard, which is used in the open-source community to produce compilers that are resistant to such attacks, McGraw said.
But StackGuard itself has vulnerabilities, which McGraw said had been detailed in a hacker magazine.
The news comes amid Microsoft's highly public effort to step up security in its programs. After the Redmond, Wash.-based software giant suffered a series of embarrassing security problems, Chairman Bill Gates sent a memo to all employees last month announcing a new "trustworthy computing" initiative that sets security as the "highest priority" for the company.
The addition of the new feature to the compiler program was supposed to help developers using the software to make their own software safer.
Microsoft took issue with the manner in which the flaw came to its attention.
"We are very concerned because of the way this was reported to us," Desler said. "Professional security firms don't handle security this way, in terms of contacting a vendor and putting out a press release nearly simultaneously."
Cigital had been considered for participation in a review of Microsoft's .Net security technology but was not selected, leading some to speculate that Cigital publicized the flaw out of spite.
According to McGraw, that notion is "completely, totally unrelated. We do software security work for many, many firms that produce software all over the world. We talk to lots of people about doing work. There's nothing special about this situation."
The security company had programmers' best interests at heart, McGraw said. "All we're trying to do is tell people, 'Don't use this security feature, don't depend on it. Write the code properly, design it properly, test it properly and don't count on the compiler to magically add security for you.'"