- Just a day after Microsoft released what it calls the most important development tool in its history, a research firm says the tool contains a flaw that could cause developers to write software vulnerable to hacker attacks.
A compiler included in Visual C++.Net, which is part of this week's release of Visual Studio.Net, is fundamentally flawed and gives developers a false sense of security, according to Gary McGraw, CTO of Cigital, a Dulles, Virginia security firm.
"There is a flaw in a feature of a tool to produce software and people who develop software using that feature may be relying on that feature to protect them but it is a false sense of security," McGraw says.
The compiler, which converts software code into a format computers can read, was designed to eliminate buffer overflow vulnerabilities, the most common hacker attack on Microsoft and other software -- but ironically the compiler itself is vulnerable to such as attack. McGraw says if the compiler is attacked and compromised it will allow the hacker to run code of his choice on either a client or server computer.
McGraw says the vulnerability only exists if the software code is compiled into native code. The vulnerability is not present if code is compiled into managed code, which is code that runs in a virtual machine such as Microsoft's .Net Framework.
Microsoft says it was aware of McGraw's finding but refused to comment until it could test it.
McGraw says that exploiting the vulnerability takes "a pretty sophisticated attack."
The news comes after Bill Gates, Microsoft's chief software architect, released a memo last month saying the company was committing itself to security through what he called a Trustworthy Computing initiative. Gates made reference to the initiative on Wednesday during his keynote speech to announce that Visual Studio.Net was being released for retail sale.
The development suite -- which includes including Visual C#, Visual Basic, and Visual C++ -- is the linchpin in the company's .Net strategy, a plan to deliver software as a set of reusable components.
While the suite can be used to write .Net applications, which would be compiled into managed code, they also can be used to write applications that will be compiled into native code. But McGraw adds that in .Net a lot of managed code will make calls to native code and that could expose the buffer overflow problem in .Net.
McGraw says the vulnerability is contained in a security feature Microsoft ported from the open source community called Stack Guard. The feature automatically protects code from some forms of buffer overflow attacks. The intent was that developers could continue to use potentially vulnerable coding techniques but eliminate exposure to buffer overflow attacks using Microsoft's version of Stack Guard.
McGraw says a better approach would be for developers to "design for security, test the heck out of their code and make sure their implementations are right."
He says Microsoft should be commended for its announcement to change its security philosophy, but that they are up against a hard problem in building secure software.