Microsoft’s Buffer-Overrun Problem: Fact or Fallacy?

You're accustomed to hearing about Microsoft security flaws. However, a recent warning regarding Visual C++ .NET might not have been as straightforward—or as helpful—as it first appeared to be.

The announcement came soon after the public release of Microsoft's long-awaited Microsoft .NET—oriented software-development suite. Gary McGraw, the chief technology officer (CTO) for Cigital, claimed that the Visual C++ .NET compiler, a part of the Visual Studio .NET suite, contains an improperly implemented feature (known as Buffer Security Checking) that causes a buffer-overrun problem to appear in code written with the tool. (Intruders can use buffer overruns to launch potentially serious attacks.) Ironically, McGraw said, Microsoft originally implemented the feature to fix that very problem. "The Microsoft feature leads to a false sense of security because it is easily defeated," he asserted.

Microsoft quickly refuted these charges. In private and public communications, the company asserted that allegations of a buffer-overrun vulnerability were "unfounded and incorrect ... \[This feature\] provides an additional layer of security in the event that a programmer unknowingly develops a program containing a common coding error known as a buffer overrun," the company wrote. "Microsoft has never claimed that \[the feature\] is a panacea that eliminates all types of buffer overruns. But \[it\] does help protect against the most important types of buffer overruns—the types that are most commonly made and most often exploited."

"\[The feature\] is an insurance policy for the problems you did not know about," Brandon Bray, a Visual C++ program manager, said. "Unfortunately, the consulting agency that 'found' this problem believed that \[the program\] was there to prevent all buffer overruns from exploiting an application; this agency is severely misinformed."

Furthermore, Microsoft questioned McGraw's integrity. The software company had previously declined a request from Cigital, a software risk-management consultancy, to participate in a .NET security-code review. Could Cigital's report have been a form of retaliation? "We are very concerned because of the way this was reported to us," a Microsoft spokesperson said a day after Cigital's claims became public. "Professional security firms don't handle security this way, in terms of contacting a vendor and putting out a press release nearly simultaneously."

Microsoft has been trying to reinvent itself as a company that produces secure code that protects users' privacy and safety; witness Microsoft's recent Trustworthy Computing initiative, in which the company temporarily halted product development to ensure that its key software products were secure. But the public reaction to Cigital's report shows that Microsoft has a long way to go before consumers buy into the company's trustworthiness.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.