Microsoft has refuted charges that its recently released Visual C++ .NET product contains a security vulnerability that could turn up in applications developed with the tool. In private and public communications, the company explained that allegations of a "buffer overrun" vulnerability are "unfounded and incorrect." Furthermore, questions now surround the individual who originally raised the issue because Microsoft didn't select the company he represents--Cigital, a software risk-management consultancy--to participate in a Microsoft .NET security-code review.
"We are very concerned because of the way this was reported to us," a Microsoft spokesperson said Friday. "Professional security firms don't handle security this way, in terms of contacting a vendor and putting out a press release nearly simultaneously." Desler says that Cigital was a potential candidate for participation in a review of Microsoft's .NET security technology but ultimately wasn't selected. This fact raises the ugly specter that Cigital generated the reports about Visual C++ .NET solely for revenge.
The issue is technical. In Friday's Wall Street Journal, Cigital Chief Technology Officer (CTO) Gary McGraw claimed that Visual C++ .NET, part of Visual Studio .NET, contained an improperly implemented feature that caused the infamous buffer overrun problem to appear in code written with the tool. Ironically, McGraw said, Microsoft originally implemented the feature to fix that very problem. "The Microsoft feature leads to a false sense of security because it is easily defeated," he said.
Microsoft, however, was quick to defend the product. "\[This feature\] provides an additional layer of security in the event that a programmer unknowingly develops a program containing a common coding error known as a buffer overrun," the company wrote in a statement issued Friday. "Microsoft has never claimed that \[the feature\] is a panacea that eliminates all types of buffer overruns. But \[it\] does help protect against the most important types of buffer overruns--the types that are most commonly made and most often exploited."
Brandon Bray, a Visual C++ .NET program manager, said Friday that Cigital is simply trying to make a name for itself and that the Visual C++ .NET feature in question is solid. "\[The feature\] is an insurance policy for the problems you did not know about," Bray said. "Unfortunately, the consulting agency that 'found' this problem believed that \[it\] was there to prevent all buffer overruns from exploiting an application; this agency is severely misinformed."
And so, apparently, was I. I apologize for any confusion an earlier Short Takes item might have caused.