Forwarded from: dont <dontat_private> http://www.msnbc.com/news/707130.asp By Don Clark THE WALL STREET JOURNAL Feb. 14 - A Microsoft Corp. technology for plugging a common security hole is vulnerable to the very attack it was designed to prevent, a prominent security consultancy said. AT ISSUE IS a new version of a special-purpose program, called a compiler, that is included in a high-profile collection of programming tools Microsoft announced Wednesday at a gathering for software developers in San Francisco. The timing of the discovery is doubly embarrassing, coming a month after Microsoft Chairman Bill Gates announced a companywide commitment to improve the security features of its software. (MSNBC is a Microsoft-NBC joint venture.) Researchers at Cigital, of Dulles, Va., said they discovered the problem in a compiler that comes as part of Visual C++.NET, a new version of a popular Microsoft programming tool. Compilers help translate code that programmers write into a language that computers understand. Microsoft modified the compiler to help prevent what are called buffer overflows, a common hacker attack that makes it possible to replace instructions in a program with malicious code. Gary McGraw, Cigital's chief technology officer, said Microsoft apparently adopted a technique for improving its compiler that has been used with the Linux operating system and shown to be vulnerable to attack. As a result, he said, Visual C++.NET isn't actually more safe than earlier versions; in fact, it could lead programmers to write more programs that are vulnerable to buffer-overflow attacks. "They were trying to avoid flaws, but instead managed to create a flaw seeder," Mr. McGraw said. Cigital informed Microsoft of the discovery Wednesday. Jim Desler, a Microsoft spokesman, said the company was in the process of investigating it. "This appears to be a relatively narrow and technical deficiency," Mr. Desler said. Avi Rubin, a principal researcher at AT&T Labs, characterized the discovery as "big news" in the security field. "This is the height of irony," said Mr. Rubin, author of the book "White-Hat Security Arsenal." "It's almost like the measures you are taking to be more secure are causing you to be more insecure." Despite heavy publicity about security problems, researchers and hackers continue to uncover flaws in popular programs. On Tuesday, for example, a government-backed security group issued a widespread alert about a flaw in a fundamental technology used in products from hundreds of companies. Mr. Gates, exasperated by reports of security bugs in Microsoft's products, last month issued an internal memo that called for a broad "Trustworthy Computing" initiative, which includes better training for Microsoft programmers in writing more-secure computer code. His speech Wednesday in San Francisco touched on the security advantages of its new Visual Studio.NET programming tools, an important part of the company's plans for Web services. To some extent, Microsoft has been racing to match security features of the Java programming technology developed by rival Sun Microsystems Inc., including a concept called "managed code" that effectively limits buffer overflow attacks. Mr. McGraw and Jeffrey Payne, Cigital's chief executive, applauded Microsoft's use of such techniques and acknowledged that managed code created with Visual C++.NET shouldn't be vulnerable. The timing of such disclosures is a hot topic. Microsoft has convinced some security firms to wait before publicly reporting such flaws until 30 days after a software fix is available. Mr. Desler said it was irresponsible for Cigital to give the company so little time to respond and alert customers. "We are very concerned about the way it was disclosed to us," he said. Mr. Desler also said Cigital had been a candidate to review the company's .NET security technology, but another security firm was selected instead, suggesting that Cigital had a particular reason to snub Microsoft. "We don't pick targets of security alerts out of malevolence," responded Mr. McGraw, co-author of the book "Building Secure Software." He added that delaying disclosures makes sense when products are already in the field waiting to be attacked. In this case, he said, Cigital wanted to warn programmers before they start relying on the Microsoft product. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Feb 15 2002 - 05:01:35 PST