Microsoft: .Net Security Fears Unfounded

Microsoft goes on the offensive to restore confidence in its .Net platform after a security consulting firm claimed it had found a critical flaw in a new Microsoft compiler.

Microsoft Corp. is going on the offensive to restore confidence in its .Net platform after a security consulting firm claimed it had found a critical flaw in a new compiler Microsoft released earlier this week.

In an unusual move, a member of the team that developed the product in question--the Visual C++.Net compiler--posted a lengthy message to the Bugtraq security mailing list excoriating Cigital Inc. for making what Microsoft deems to be false claims in its press release and inciting unnecessary concerns about the security of .Net applications built with the compiler.

"To be clear, the security check feature introduced in the Microsoft Visual C++.Net compiler is NOT vulnerable," wrote Brandon Bray, a member of the products development team. "The allegation that applications compiled with Visual C++s /GS switch somehow expose themselves to more attacks is unfounded and patently false."

The controversy began Thursday when Cigital published a press release warning that the /GS feature in the .Net compiler gave developers a false sense of security by making them think that they could use vulnerable code functions and still be protected from buffer overflows, a common and dangerous kind of security vulnerability.

The problem lies in the implementation of /GS, a tool similar to StackGuard, a technology used in some versions of Linux that is designed to prevent some buffer overflows. Cigital warned that any code developed in Visual C++.Net, a compiler designed to help developers write native code for the new .Net Framework, is vulnerable to a well-known attack that enables a cracker to bypass StackGuard and launch a successful buffer overflow attack, according to Gary McGraw, chief technology officer at Cigital, a security consulting firm in Dulles, Va.

"If developers rely on this when they produce native code, theyll have a false sense of security in what theyre writing," said McGraw. The problem should not affect managed code developed for .Net.

In his Bugtraq post, Bray points out that the /GS security tool was designed to protect software written with the compiler from some, not all, buffer overflows.

"Certainly, trying to detect all buffer overruns was out of the question for several reasons: (1) C and C++ are inherently dangerous and not all attacks are buffer overruns, (2) in many cases the operating system and hardware support are needed to capture attacks," Bray wrote. He added that company tests showed the tool protected between 40 percent and 60 percent of functions that were vulnerable to a specific kind of buffer overflow.

He goes on to say that Microsoft could easily change the architecture of the /GS tool to prevent the attack brought up by Cigital, but that would make the tool slower and would do nothing to address the "many other targets of the same attack."

The attack that Cigital cites was outlined nearly two years ago in Phrack Magazine, the venerable hacker publication.

News of the alleged vulnerability in the compiler comes at a critical time for Microsoft, which is in the process of rolling out its highly publicized .Net Web services initiative.

Bill Gates, chairman and chief software architect, recently declared security to be Microsofts highest priority and has imposed a ban on new code-writing this month as developers comb through existing .Net and Windows programs searching for security problems.

McGraw praised Microsoft for its recent effort to refocus its resources on developing secure code and said he believes the company is sincere in its desire to improve its security. However, he said some of the efforts may be misplaced.

"Microsoft seems to be doing the right thing," he said. "This is a pretty sophisticated attack, but there are better things to do than stick [StackGuard] in there."