Posted on 02/14/2002 8:00:17 AM PST by B Knotts
Feb. 14 - A Microsoft Corp. technology for plugging a common security hole is vulnerable to the very attack it was designed to prevent, a prominent security consultancy said.
AT ISSUE IS a new version of a special-purpose program, called a compiler, that is included in a high-profile collection of programming tools Microsoft announced Wednesday at a gathering for software developers in San Francisco. The timing of the discovery is doubly embarrassing, coming a month after Microsoft Chairman Bill Gates announced a companywide commitment to improve the security features of its software. (MSNBC is a Microsoft-NBC joint venture.)
Researchers at Cigital, of Dulles, Va., said they discovered the problem in a compiler that comes as part of Visual C++.NET, a new version of a popular Microsoft programming tool. Compilers help translate code that programmers write into a language that computers understand. Microsoft modified the compiler to help prevent what are called buffer overflows, a common hacker attack that makes it possible to replace instructions in a program with malicious code.
Gary McGraw, Cigital's chief technology officer, said Microsoft apparently adopted a technique for improving its compiler that has been used with the Linux operating system and shown to be vulnerable to attack. As a result, he said, Visual C++.NET isn't actually more safe than earlier versions; in fact, it could lead programmers to write more programs that are vulnerable to buffer-overflow attacks.
"They were trying to avoid flaws, but instead managed to create a flaw seeder," Mr. McGraw said.
Cigital informed Microsoft of the discovery Wednesday. Jim Desler, a Microsoft spokesman, said the company was in the process of investigating it. "This appears to be a relatively narrow and technical deficiency," Mr. Desler said.
Avi Rubin, a principal researcher at AT&T Labs, characterized the discovery as "big news" in the security field. "This is the height of irony," said Mr. Rubin, author of the book "White-Hat Security Arsenal." "It's almost like the measures you are taking to be more secure are causing you to be more insecure."
Despite heavy publicity about security problems, researchers and hackers continue to uncover flaws in popular programs. On Tuesday, for example, a government-backed security group issued a widespread alert about a flaw in a fundamental technology used in products from hundreds of companies. Mr. Gates, exasperated by reports of security bugs in Microsoft's products, last month issued an internal memo that called for a broad "Trustworthy Computing" initiative, which includes better training for Microsoft programmers in writing more-secure computer code. His speech Wednesday in San Francisco touched on the security advantages of its new Visual Studio.NET programming tools, an important part of the company's plans for Web services.
To some extent, Microsoft has been racing to match security features of the Java programming technology developed by rival Sun Microsystems Inc., including a concept called "managed code" that effectively limits buffer overflow attacks. Mr. McGraw and Jeffrey Payne, Cigital's chief executive, applauded Microsoft's use of such techniques and acknowledged that managed code created with Visual C++.NET shouldn't be vulnerable. The timing of such disclosures is a hot topic. Microsoft has convinced some security firms to wait before publicly reporting such flaws until 30 days after a software fix is available. Mr. Desler said it was irresponsible for Cigital to give the company so little time to respond and alert customers. "We are very concerned about the way it was disclosed to us," he said.
Mr. Desler also said Cigital had been a candidate to review the company's .NET security technology, but another security firm was selected instead, suggesting that Cigital had a particular reason to snub Microsoft.
"We don't pick targets of security alerts out of malevolence," responded Mr. McGraw, co-author of the book "Building Secure Software." He added that delaying disclosures makes sense when products are already in the field waiting to be attacked. In this case, he said, Cigital wanted to warn programmers before they start relying on the Microsoft product.
"They were trying to avoid flaws, but instead managed to create a flaw seeder," Mr. McGraw said.
"This is the height of irony," said Mr. Rubin, author of the book "White-Hat Security Arsenal." "It's almost like the measures you are taking to be more secure are causing you to be more insecure."
The timing of such disclosures is a hot topic. Microsoft has convinced some security firms to wait before publicly reporting such flaws until 30 days after a software fix is available.
The stooges are out there trying to sell your bank on using .NET.
.NET has some nice stuff in it. But wait until it's been a year since the last exploits before using it for any mission-critical apps.
Holy cow. That piece deserves a post of it's own.
That's explosive news.
'Trustworthy Computing' has a ways to go.
Use to be that MS programmers had to specifically code in a buffer-overflow vulnerability.
Now they've created a compiler that can automatically build in one, without the developer having to go to the trouble!
Has Microsoft's VP of Marketing, Bush2000, chimed in on this situation? Inquiring minds want to know!
From what I have read, Microsoft's C# is a hacker's dream. About every app it produces is prone to buffer overflows.
I see the VB market dividing into heavy Web users who will go to .Net but most of the market consisting of "legacy" VB 6.0 users who cannot justify the conversion cost.
He probably doesn't want to bump the thread. :-)
BUMP
We know the last 'talking point' was 'Linux is less secure than Windows'.
Any guesses on how the gang is going to end up 'spinning' now?
Think back. What would a Clinton do?
Attack a small, 3rd world nation?
Ha!
Oh wait... they're already doing that.
Maybe Patch2000 is on the phone with HQ, trying to figure out which patches need patches. I know I lost track a long time ago.
But you've gotta admit, there is a certain logic to getting all patched-up before resuming the noble mission to expose all trolls.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.