Security warning issued for MS developer tool

A feature in a compiler included in Microsoft Corp.’s newly announced Visual C++ .Net application can unwittingly allow developers to create programs vulnerable to buffer overflow attacks, according to a warning issued today by security consultancy Cigital Inc.

Gary McGraw, chief technology officer of the Dulles, Va.-based security company, said the compiler includes a feature called StackGuard that’s supposed to protect against buffer overflows caused by hackers in an attack. Instead, the company said today in an announcement that “because the protection mechanism itself is susceptible to a buffer overflow attack, developers who make use of the feature may come away with a false sense of security and unintentionally discount critical implementation problems. Malicious hackers can then exploit the software once it is fielded, leaving unsuspecting users completely exposed.”

McGraw said StackGuard is the only part of the compiler that appears to be a problem. The rest of the Visual C++ .Net and Visual C++ Version 7 compiler is fine from a security standpoint, he said. “That one feature shouldn’t be used.”

Cigital’s announcement was unusual in that the company issued it only a day after notifying Microsoft officials of the potential problem. Microsoft launched its latest Visual C++. Net applications yesterday in San Francisco at a meeting for developers.

Microsoft spokesman Jim Desler said his company is upset that Cigital publicly aired the claim so quickly without giving it any time to respond. Typically, when security flaws are uncovered, companies that discover them give vendors up to a few weeks to resolve the issues.

“This is just not how a security company should handle it,” Desler said of Cigital. “It seems to be a transparent publicity grab.”

Desler said sour grapes may have also played a part in the quick announcement. Cigital had previously been in the running for a contract to do security reviews for Microsoft, but was not chosen. “That’s just something that may be part of the backdrop of this,” he said.

McGraw at Cigital say the report of the alleged flaw is unrelated.

“There’s absolutely no truth in that,” he said. “We do software security analyses for customers worldwide every day. Sometimes we win work. Sometimes we don’t.”

Cigital spokeswoman Jen Norman said the company chose to announce the alleged flaw immediately because, as a development tool, it could have allowed developers to create flawed applications without knowing about the problem. “This was a preventable step because they don’t have to use that feature in the compiler,” she said. “If we can prevent that, everybody’s better off.”

Security analysts, however, appeared to be uncomfortable with Cigital’s reporting procedures in this case.

Eric Hemmendinger, an analyst at Aberdeen Group Inc. in Boston, said “one day is not a reasonable amount of time” to give notice about a potential flaw before going public. “I question somebody’s motives when they jump the gun,” he added.

What would have been a more constructive approach, he said, is if Cigital had issued a press release advising developers that the feature may not be as safe as Microsoft had intended and suggested that they wait to use it until after it’s fixed.

Charles Kolodgy, an analyst at IDC in Framingham, Massachusetts, agreed.

“You always tell the other company before you make an announcement,” Kolodgy said. Normally, the time given ranges from a few days to a few weeks.

“It keeps being bad news for [Microsoft]” in terms of security, he added.

Last month, Microsoft chairman and chief software architect Bill Gates issued a memo to all company employees urging them to make “trustworthy computing” their highest priority (see story). The effort is in response to what has been seen as a growing dissatisfaction with security in the company’s products.

Microsoft Canada Co. in Mississauga, Ont., is at