Security Firm Discloses Flaw in .NET Compiler

A feature added to a compiler in Visual Studio .NET to improve the security of Visual C++ .NET itself introduces the type of vulnerability -- a buffer overflow -- that it was designed to protect against, a Dulles, Va.-based security consultancy revealed Thursday.

The disclosure comes at a damaging time for Microsoft Corp. The company on Wednesday released Visual Studio .NET, a linchpin of its Web services strategy. Microsoft officials also told an industry publication that the Visual Studio .NET integrated development environment was the first product to undergo the formal code review for security problems mandated by Bill Gates' Trustworthy Computing initiative.

Cigital Inc. issued the warning about the problem on its Web site Thursday. According to the company, the design-level flaw occurs in Microsoft's Visual C++ .NET and Visual C++ version 7 compiler.

Cigital maintains that the defect leaves executable code built by the compiler vulnerable to a buffer overflow attack. Cigital reports that the feature was bolted on to the Visual C++ compiler to protect source code from certain forms of buffer overflow attack. But the mechanism added to the runtime Visual C++ compiler is susceptible to a buffer overflow attack.

Cigital says it found the flaw during pre-release testing of its own unreleased security assessment product.

"The fact that even security features such as Microsoft's broken buffer overflow protection mechanism fall prey to security problems demonstrates the challenge we face," Cigital CTO Gary McGraw said in a statement. "Cigital Labs' discovery shows why relying on a runtime compiler feature to protect against certain types of attacks is not sufficient."

A Microsoft spokesman, who characterized the problem as narrow, publicly expressed anger that Cigital had released the warning immediately without providing a customary 30-day grace period to allow Microsoft to address the problem. The spokesman suggested Cigital may have had a grudge against Microsoft because the security firm lost a bid for the contract to perform an independent security review of Visual Studio .NET prior to its release.

Cigital executives argued that a grace period was unnecessary since Visual Studio .NET was just released, and that an early warning would prevent developers from creating insecure code before a fix was available.

In addition to the timing of its information release, Cigital had hard words for Microsoft.

"There is much more to software security than simply demonstrating the right attitude," Cigital president and CEO Jeffery Payne said in a statement.

Meanwhile, a technical paper describing the problem on the Cigital Web site begins: "Microsoft is making an important push to improve software security, as evidenced by the Gates memo of January 2002. However, Microsoft clearly has room for improvement if ... even their security features have architectural security problems."

The paper goes on to suggest that Microsoft failed to thoroughly review available documentation about the StackGuard tool it based the feature on, that Microsoft would have served customers better by rewriting the compiler itself, and that the best solution for developers is to write code in Java.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Microsoft Previews Windows VM Authentications via Azure Active Directory

    Microsoft on Thursday announced a preview of remote authentications into Windows-based Azure virtual machines (VMs) using Azure AD credentials.

  • Windows Server 20H1 Getting Smaller Containers and Faster PowerShell

    Microsoft is promising to deliver a smaller container size and improved PowerShell performance with its next release of Windows Server.

  • Microsoft Previews Microsoft Teams for Linux

    Microsoft on Tuesday announced a "limited preview" release of Microsoft Teams for certain Linux desktop operating systems.

  • Hyper-V Architecture: Some Clarifications

    Brien answers two thought-provoking reader questions. First, do Hyper-V VMs have direct hardware access? And second, how is it possible to monitor VM resource consumption from the host operating system?

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.