[ISN] Microsoft's new 'compiler' program

From: InfoSec News (isnat_private)
Date: Fri Feb 15 2002 - 02:02:01 PST

  • Next message: InfoSec News: "[ISN] Japan space agency hacked"

    Forwarded from: dont <dontat_private>
    By Don Clark
    Feb. 14 - A Microsoft Corp. technology for plugging a common security
    hole is vulnerable to the very attack it was designed to prevent, a
    prominent security consultancy said.
    AT ISSUE IS a new version of a special-purpose program, called a
    compiler, that is included in a high-profile collection of programming
    tools Microsoft announced Wednesday at a gathering for software
    developers in San Francisco. The timing of the discovery is doubly
    embarrassing, coming a month after Microsoft Chairman Bill Gates
    announced a companywide commitment to improve the security features of
    its software. (MSNBC is a Microsoft-NBC joint venture.)
    Researchers at Cigital, of Dulles, Va., said they discovered the
    problem in a compiler that comes as part of Visual C++.NET, a new
    version of a popular Microsoft programming tool. Compilers help
    translate code that programmers write into a language that computers
    understand. Microsoft modified the compiler to help prevent what are
    called buffer overflows, a common hacker attack that makes it possible
    to replace instructions in a program with malicious code.
    Gary McGraw, Cigital's chief technology officer, said Microsoft
    apparently adopted a technique for improving its compiler that has
    been used with the Linux operating system and shown to be vulnerable
    to attack. As a result, he said, Visual C++.NET isn't actually more
    safe than earlier versions; in fact, it could lead programmers to
    write more programs that are vulnerable to buffer-overflow attacks.
    "They were trying to avoid flaws, but instead managed to create a flaw
    seeder," Mr. McGraw said.
    Cigital informed Microsoft of the discovery Wednesday. Jim Desler, a
    Microsoft spokesman, said the company was in the process of
    investigating it. "This appears to be a relatively narrow and
    technical deficiency," Mr. Desler said.
    Avi Rubin, a principal researcher at AT&T Labs, characterized the
    discovery as "big news" in the security field. "This is the height of
    irony," said Mr. Rubin, author of the book "White-Hat Security
    Arsenal." "It's almost like the measures you are taking to be more
    secure are causing you to be more insecure."
    Despite heavy publicity about security problems, researchers and
    hackers continue to uncover flaws in popular programs. On Tuesday, for
    example, a government-backed security group issued a widespread alert
    about a flaw in a fundamental technology used in products from
    hundreds of companies.
    Mr. Gates, exasperated by reports of security bugs in Microsoft's
    products, last month issued an internal memo that called for a broad
    "Trustworthy Computing" initiative, which includes better training for
    Microsoft programmers in writing more-secure computer code. His speech
    Wednesday in San Francisco touched on the security advantages of its
    new Visual Studio.NET programming tools, an important part of the
    company's plans for Web services.
    To some extent, Microsoft has been racing to match security features
    of the Java programming technology developed by rival Sun Microsystems
    Inc., including a concept called "managed code" that effectively
    limits buffer overflow attacks. Mr. McGraw and Jeffrey Payne,
    Cigital's chief executive, applauded Microsoft's use of such
    techniques and acknowledged that managed code created with Visual
    C++.NET shouldn't be vulnerable.
    The timing of such disclosures is a hot topic. Microsoft has convinced
    some security firms to wait before publicly reporting such flaws until
    30 days after a software fix is available. Mr. Desler said it was
    irresponsible for Cigital to give the company so little time to
    respond and alert customers. "We are very concerned about the way it
    was disclosed to us," he said.
    Mr. Desler also said Cigital had been a candidate to review the
    company's .NET security technology, but another security firm was
    selected instead, suggesting that Cigital had a particular reason to
    snub Microsoft.
    "We don't pick targets of security alerts out of malevolence,"
    responded Mr. McGraw, co-author of the book "Building Secure
    Software." He added that delaying disclosures makes sense when
    products are already in the field waiting to be attacked. In this
    case, he said, Cigital wanted to warn programmers before they start
    relying on the Microsoft product.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Feb 15 2002 - 05:01:35 PST