On Wednesday morning, Microsoft (NASDAQ:MSFT) released a new security
enhancement for Visual C++.NET and Visual C++ 7 to prevent source code from
buffer overflow attacks. Hours later, a Dulles, Va.-based software risk management outfit was on the phone with Microsoft explaining the design flaw
in the new security enhancement.
Gary McGraw, Cigital chief technical officer and author of the book,
“Building Secure Software,” said he talked to Microsoft Wednesday morning
about the flaw, recommending possible fixes.
He said officials were very receptive to the phone call, made a day before
Cigital released the design flaw to the world, and thinks developers are
already working on a fix for future releases.
McGraw says it was relatively easy to detect the vulnerability because
Microsoft uses a security approach based on StackGuard, a piece of code
that lets developers set a “security error handler” function in their
program to give an alert in the event of a possible attack.
Unfortunately, there are several workarounds to the StackGuard approach
that are well known in the hacker community.
“StackGuard has been shown to be susceptible to certain attacks in the
past,” McGraw said. “Unfortunately, Microsoft didn’t figure that out, or
didn’t read those reports and they implemented a flawed version of this
approach.
“The flaw itself cannot be actively exploited today by attackers,” he
continued. “So it’s not like saying, ‘You’re Web server’s broken, everyone
panic,’ instead there’s a flaw in a tool for producing software. In this
case, the flaw was a little subtle, so it’s not like today a bunch of
script kiddies can run out and knock over Web servers because of the flaw.”
What’s particularly embarrassing to Microsoft is how fast the vulnerability
was found, this after Bill Gates, Microsoft founder and chief software
officer, said the software giant now has a new
commitment to software security and producing bug-free applications.
In a sweeping email memo to employees at the Redmond, WA-based company,
Gates said the future of Microsoft is dependent on the quality of product
they produce.
“As software has become ever more complex, interdependent and
interconnected, our reputation as a company has in turn become more
vulnerable,” the email said. “Flaws in a single Microsoft product, service
or policy not only affect the quality of our platform and services overall,
but also our customers’ view of us as a company.”
McGraw doesn’t see Wednesday’s discovered flaw as justification for
scrapping .Net and writing Microsoft off as a software solution, just the
opposite, in fact.
“The fact is, Microsoft is doing the right thing and they should be
commended,” he said. “They have the right attitude and they’re working
hard to teach their developers to do the right thing. The problem is that
software security is hard, and finding risks and vulnerabilities,
especially at the design level, is a real challenge.”
This story was first published on InternetNews.com an internet.com site.
Huawei’s AI Update: Things Are Moving Faster Than We Think
FEATURE | By Rob Enderle,
December 04, 2020
Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 18, 2020
Key Trends in Chatbots and RPA
FEATURE | By Guest Author,
November 10, 2020
FEATURE | By Samuel Greengard,
November 05, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 02, 2020
How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 29, 2020
Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 23, 2020
The Super Moderator, or How IBM Project Debater Could Save Social Media
FEATURE | By Rob Enderle,
October 16, 2020
FEATURE | By Cynthia Harvey,
October 07, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
October 05, 2020
CIOs Discuss the Promise of AI and Data Science
FEATURE | By Guest Author,
September 25, 2020
Microsoft Is Building An AI Product That Could Predict The Future
FEATURE | By Rob Enderle,
September 25, 2020
Top 10 Machine Learning Companies 2020
FEATURE | By Cynthia Harvey,
September 22, 2020
NVIDIA and ARM: Massively Changing The AI Landscape
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
September 18, 2020
Continuous Intelligence: Expert Discussion [Video and Podcast]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 14, 2020
Artificial Intelligence: Governance and Ethics [Video]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 13, 2020
IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI
FEATURE | By Rob Enderle,
September 11, 2020
Artificial Intelligence: Perception vs. Reality
FEATURE | By James Maguire,
September 09, 2020
Anticipating The Coming Wave Of AI Enhanced PCs
FEATURE | By Rob Enderle,
September 05, 2020
The Critical Nature Of IBM’s NLP (Natural Language Processing) Effort
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
August 14, 2020
Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation's focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.
Advertise with TechnologyAdvice on Datamation and our other data and technology-focused platforms.
Advertise with Us
Property of TechnologyAdvice.
© 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this
site are from companies from which TechnologyAdvice receives
compensation. This compensation may impact how and where products
appear on this site including, for example, the order in which
they appear. TechnologyAdvice does not include all companies
or all types of products available in the marketplace.