Flaw found in MS security patch
Published: 14 Feb 2002 15:04 GMT
A flaw in a software tool just released by Microsoft could lead software developers to inadvertently write programs that are vulnerable to attack, according to security specialists who discovered the flaw.
The security problem is said to lie with the compiler that accompanies the new Visual C++.Net, just one of several tools included in Visual Studio.Net that Microsoft shipped on Wednesday. Visual Studio.Net comprises new versions of the company's software development tools, including Visual Basic, Visual C++ and its new Java-like language, C#.
Software security company Cigital says the compiler contains a flaw that would allow a type of attack called a "buffer overflow" to be initiated. A compiler is software that translate the code that programmers write into the language that computers understand.
Ironically, Microsoft may have created the flaw in trying to stop another type of security risk. That risk involves buffer overflows, which allow a specially formatted command to cause a computer to crash or execute arbitrary or malicious code.
"There's this place called a stack where you keep track of which function calls which (other) function. The stack holds all sorts of information (such as) local variables and pointers to places," said Gary McGraw, chief technology officer at Cigital, which discovered the problem. "A buffer overflow is a way of causing the return of address, where the program is going to go, after a subroutine is finished, to go to an attacker code."
Microsoft could not immediately be reached for comment.
Since the software was just released, it is unlikely that it presents a serious problem right now, McGraw said.
"This is pretty complicated -- it's not easy for people to do -- but this is a flaw in a tool meant to produce software," McGraw said. "If (developers) rely on this security feature, they will have a false sense of security.
As yet, there have been no reports of problems from developers. Although the tool bundle was released on Wednesday, Microsoft said that more than 3.5 million developers had beta test copies of Visual Studio.Net. It was the largest beta test program in Microsoft's history.
In its attempt to prevent a buffer-overflow attack, Microsoft apparently adopted a technology known as StackGuard, which is used in the open source community to produce compilers that are resistant to such attacks, McGraw said.
But StackGuard itself has vulnerabilities, which McGraw said had been detailed in a hacker magazine.
The news comes as Microsoft has made a highly public effort to step up security in its programs. After the software giant suffered a series of embarrassing security problems, chairman Bill Gates sent a memo to all employees last month announcing a new "trustworthy computing" initiative that sets security as the "highest priority" for the company.
Adding the new feature to the compiler program was supposed to help developers using the software make their own software safer.
Cigital had been considered for participation in a review of Microsoft's .Net security technology but was not selected, leading some to speculate that Cigital publicised the flaw out of spite.
"(That is) completely, totally unrelated," McGraw said. "We do software security work for many, many firms that produce software all over the world. We talk to lots of people about doing work. There's nothing special about this situation."
The security company had programmers' best interests at heart, McGraw said. "All we're trying to do is tell people, 'Don't use this security feature, don't depend on it. Write the code properly, design it properly, test it properly and don't count on the compiler to magically add security for you.'"
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
71 out of 124 people found this useful
- Share this article:
