[Am-info] MS .NET compiler gives false sense of security

[Gene Gaines]

If Gates says it, can you bet on it not being true?

Microsoft trumpets Gates' "Trustworthy Computing Initiative"
"quick say we fixed it...say we fixed it quick...

So...

 Cigital Warns of Security Flaw in Microsoft .NET Compiler
 Testing on Company's Next Generation Security Product reveals MS Flaw


DULLES, Va., February 14, 2002 - Cigital, Inc. the software
risk management (SRM) solution provider that helps
companies protect themselves from the business risks of
software failure, today announced the discovery of a
design-level flaw in a security feature included in
Microsoft's Visual C++.NET and Visual C++ version 7 compiler.
The defect, which leaves executable code built by the compiler
vulnerable to a buffer overflow attack, was uncovered in
Cigital Labs during testing of Cigital's soon-to-be-released
security assessment product.

The Microsoft compiler was specifically enhanced with a
feature meant to protect potentially vulnerable source code
automatically from certain forms of buffer overflow attack.
Because the protection mechanism itself is susceptible to a
buffer overflow attack, developers who make use of the
feature may come away with a false sense of security and
unintentionally discount critical implementation problems.
Malicious hackers can then exploit the software once it is
fielded, leaving unsuspecting users completely exposed.

...


Gene Gaines
gene.gaines@gainesgroup.com
Sterling, Virginia