Design Flaw Found in .NET Framework

Even though it took only hours for security experts to discover a vulnerability in Microsoft's newly released security enhancement, the report's author says Microsoft developers should be "commended" for their attitude and approach to security.
Posted February 14, 2002
By

Jim Wagner


On Wednesday morning, Microsoft (NASDAQ:MSFT) released a new security enhancement for Visual C++.NET and Visual C++ 7 to prevent source code from buffer overflow attacks. Hours later, a Dulles, Va.-based software risk management outfit was on the phone with Microsoft explaining the design flaw in the new security enhancement.

Gary McGraw, Cigital chief technical officer and author of the book, "Building Secure Software," said he talked to Microsoft Wednesday morning about the flaw, recommending possible fixes.

He said officials were very receptive to the phone call, made a day before Cigital released the design flaw to the world, and thinks developers are already working on a fix for future releases.

McGraw says it was relatively easy to detect the vulnerability because Microsoft uses a security approach based on StackGuard, a piece of code that lets developers set a "security error handler" function in their program to give an alert in the event of a possible attack.

Unfortunately, there are several workarounds to the StackGuard approach that are well known in the hacker community.

"StackGuard has been shown to be susceptible to certain attacks in the past," McGraw said. "Unfortunately, Microsoft didn't figure that out, or didn't read those reports and they implemented a flawed version of this approach.

"The flaw itself cannot be actively exploited today by attackers," he continued. "So it's not like saying, 'You're Web server's broken, everyone panic,' instead there's a flaw in a tool for producing software. In this case, the flaw was a little subtle, so it's not like today a bunch of script kiddies can run out and knock over Web servers because of the flaw."

What's particularly embarrassing to Microsoft is how fast the vulnerability was found, this after Bill Gates, Microsoft founder and chief software officer, said the software giant now has a new commitment to software security and producing bug-free applications.

In a sweeping email memo to employees at the Redmond, WA-based company, Gates said the future of Microsoft is dependent on the quality of product they produce.

"As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable," the email said. "Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers' view of us as a company."

McGraw doesn't see Wednesday's discovered flaw as justification for scrapping .Net and writing Microsoft off as a software solution, just the opposite, in fact.

"The fact is, Microsoft is doing the right thing and they should be commended," he said. "They have the right attitude and they're working hard to teach their developers to do the right thing. The problem is that software security is hard, and finding risks and vulnerabilities, especially at the design level, is a real challenge."

This story was first published on InternetNews.com an internet.com site.






0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.