.Net Security Flaw Exposed

A security flaw in Microsoft's new .Net compiler could lead programmers to unknowingly include buffer overflows in any code they write for the new .Net Framework.

A security consulting company is warning that a security tool included in Microsoft Corp.s new Visual C++.Net compiler is flawed, but Microsoft officials say there is no flaw and that the tool works just as it was designed to.

The problem lies in the implementation of tool similar to StackGuard, a technology used in some versions of Linux that is designed to prevent buffer overflows. However, according to Gary McGraw, chief technology officer at Cigital Inc., a security consulting firm in Dulles, Va., the /GS security check tool doesnt protect native code written with the compiler as well as it should.

"If developers rely on this when they produce native code, theyll have a false sense of security in what theyre writing," said McGraw. The problem should not affect managed code developed for .Net.

McGraw said Cigital notified Microsoft, based in Redmond, Wash., of the problem, and that the company acknowledged the issue.

The controversy comes at a critical time for Microsoft, which is in the process of rolling out its highly publicized .Net Web services initiative.

Bill Gates, chairman and chief software architect, recently declared security to be Microsofts highest prioritydeclared security to be Microsofts highest priority and has imposed a ban on new code-writing this month as developers comb through existing .Net and Windows programs searching for security problems.

The attack to which the compiler is vulnerable was outlined nearly two years ago in Phrack Magazine, the venerable hacker publication.

McGraw praised Microsoft for its recent effort to refocus its resources on developing secure code and said he believes the company is sincere in its desire to improve its security. However, he said some of the efforts may be misplaced.

"Microsoft seems to be doing the right thing," he said. "This is a pretty sophisticated attack, but there are better things to do than stick [StackGuard] in there."

StackGuard is the brainchild of Crispin Cowan, co-founder of WireX Communications Inc., which sells the Immunix secure distribution of RedHat Linux.