Microsoft's new 'compiler' program

[InfoSec News <isn () c4i org>]

Forwarded from: dont <dont () csds uidaho edu>

http://www.msnbc.com/news/707130.asp

By Don Clark
THE WALL STREET JOURNAL

Feb. 14 - A Microsoft Corp. technology for plugging a common security
hole is vulnerable to the very attack it was designed to prevent, a
prominent security consultancy said.
         
AT ISSUE IS a new version of a special-purpose program, called a
compiler, that is included in a high-profile collection of programming
tools Microsoft announced Wednesday at a gathering for software
developers in San Francisco. The timing of the discovery is doubly
embarrassing, coming a month after Microsoft Chairman Bill Gates
announced a companywide commitment to improve the security features of
its software. (MSNBC is a Microsoft-NBC joint venture.)
         
Researchers at Cigital, of Dulles, Va., said they discovered the
problem in a compiler that comes as part of Visual C++.NET, a new
version of a popular Microsoft programming tool. Compilers help
translate code that programmers write into a language that computers
understand. Microsoft modified the compiler to help prevent what are
called buffer overflows, a common hacker attack that makes it possible
to replace instructions in a program with malicious code.
       
Gary McGraw, Cigital's chief technology officer, said Microsoft
apparently adopted a technique for improving its compiler that has
been used with the Linux operating system and shown to be vulnerable
to attack. As a result, he said, Visual C++.NET isn't actually more
safe than earlier versions; in fact, it could lead programmers to
write more programs that are vulnerable to buffer-overflow attacks.
       
"They were trying to avoid flaws, but instead managed to create a flaw
seeder," Mr. McGraw said.
         
Cigital informed Microsoft of the discovery Wednesday. Jim Desler, a
Microsoft spokesman, said the company was in the process of
investigating it. "This appears to be a relatively narrow and
technical deficiency," Mr. Desler said.
       
Avi Rubin, a principal researcher at AT&T Labs, characterized the
discovery as "big news" in the security field. "This is the height of
irony," said Mr. Rubin, author of the book "White-Hat Security
Arsenal." "It's almost like the measures you are taking to be more
secure are causing you to be more insecure."
       
Despite heavy publicity about security problems, researchers and
hackers continue to uncover flaws in popular programs. On Tuesday, for
example, a government-backed security group issued a widespread alert
about a flaw in a fundamental technology used in products from
hundreds of companies.
       
Mr. Gates, exasperated by reports of security bugs in Microsoft's
products, last month issued an internal memo that called for a broad
"Trustworthy Computing" initiative, which includes better training for
Microsoft programmers in writing more-secure computer code. His speech
Wednesday in San Francisco touched on the security advantages of its
new Visual Studio.NET programming tools, an important part of the
company's plans for Web services.
       
To some extent, Microsoft has been racing to match security features
of the Java programming technology developed by rival Sun Microsystems
Inc., including a concept called "managed code" that effectively
limits buffer overflow attacks. Mr. McGraw and Jeffrey Payne,
Cigital's chief executive, applauded Microsoft's use of such
techniques and acknowledged that managed code created with Visual
C++.NET shouldn't be vulnerable.
 
The timing of such disclosures is a hot topic. Microsoft has convinced
some security firms to wait before publicly reporting such flaws until
30 days after a software fix is available. Mr. Desler said it was
irresponsible for Cigital to give the company so little time to
respond and alert customers. "We are very concerned about the way it
was disclosed to us," he said.
       
Mr. Desler also said Cigital had been a candidate to review the
company's .NET security technology, but another security firm was
selected instead, suggesting that Cigital had a particular reason to
snub Microsoft.
       
"We don't pick targets of security alerts out of malevolence,"
responded Mr. McGraw, co-author of the book "Building Secure
Software." He added that delaying disclosures makes sense when
products are already in the field waiting to be attacked. In this
case, he said, Cigital wanted to warn programmers before they start
relying on the Microsoft product.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.