Microsoft: .Net Security Fears Unfounded | eWeek

Microsoft: .Net Security Fears Unfounded

Écrit par
Dennis Fisher
Dennis Fisher
Feb 15, 2002
3 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Microsoft Corp. is going on the offensive to restore confidence in its .Net platform after a security consulting firm claimed it had found a critical flaw in a new compiler Microsoft released earlier this week.

In an unusual move, a member of the team that developed the product in question–the Visual C++.Net compiler–posted a lengthy message to the Bugtraq security mailing list excoriating Cigital Inc. for making what Microsoft deems to be false claims in its press release and inciting unnecessary concerns about the security of .Net applications built with the compiler.

“To be clear, the security check feature introduced in the Microsoft Visual C++.Net compiler is NOT vulnerable,” wrote Brandon Bray, a member of the products development team. “The allegation that applications compiled with Visual C++s /GS switch somehow expose themselves to more attacks is unfounded and patently false.”

The controversy began Thursday when Cigital published a press release warning that the /GS feature in the .Net compiler gave developers a false sense of security by making them think that they could use vulnerable code functions and still be protected from buffer overflows, a common and dangerous kind of security vulnerability.

The problem lies in the implementation of /GS, a tool similar to StackGuard, a technology used in some versions of Linux that is designed to prevent some buffer overflows. Cigital warned that any code developed in Visual C++.Net, a compiler designed to help developers write native code for the new .Net Framework, is vulnerable to a well-known attack that enables a cracker to bypass StackGuard and launch a successful buffer overflow attack, according to Gary McGraw, chief technology officer at Cigital, a security consulting firm in Dulles, Va.

“If developers rely on this when they produce native code, theyll have a false sense of security in what theyre writing,” said McGraw. The problem should not affect managed code developed for .Net.

In his Bugtraq post, Bray points out that the /GS security tool was designed to protect software written with the compiler from some, not all, buffer overflows.

“Certainly, trying to detect all buffer overruns was out of the question for several reasons: (1) C and C++ are inherently dangerous and not all attacks are buffer overruns, (2) in many cases the operating system and hardware support are needed to capture attacks,” Bray wrote. He added that company tests showed the tool protected between 40 percent and 60 percent of functions that were vulnerable to a specific kind of buffer overflow.

He goes on to say that Microsoft could easily change the architecture of the /GS tool to prevent the attack brought up by Cigital, but that would make the tool slower and would do nothing to address the “many other targets of the same attack.”

The attack that Cigital cites was outlined nearly two years ago in Phrack Magazine, the venerable hacker publication.

News of the alleged vulnerability in the compiler comes at a critical time for Microsoft, which is in the process of rolling out its highly publicized .Net Web services initiative.

Bill Gates, chairman and chief software architect, recently declared security to be Microsofts highest priority and has imposed a ban on new code-writing this month as developers comb through existing .Net and Windows programs searching for security problems.

McGraw praised Microsoft for its recent effort to refocus its resources on developing secure code and said he believes the company is sincere in its desire to improve its security. However, he said some of the efforts may be misplaced.

“Microsoft seems to be doing the right thing,” he said. “This is a pretty sophisticated attack, but there are better things to do than stick [StackGuard] in there.”

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.