http://story.news.yahoo.com/news?tmpl=story&cid=581&u=/nm/20020214/tc_nm/tech_microsoft_security_dc_22
Microsoft Web Toolkit Has Security
Loophole -Expert
Thu Feb 14, 2:43 PM ET
By Elinor Mills Abreu
SAN FRANCISCO (Reuters) - A security expert said on Thursday
that a feature that was added to make Microsoft Corp.'s new Web
services development tool kit more secure would actually leave the
software open to attack from
hackers.
The discovery comes as the software giant puts a
greater emphasis on
security in the hopes that computer users will feel
comfortable using its new
Web services, which promise access to any software
program from any
device over the Internet.
Microsoft has long been criticized as sacrificing
security for functionality in its
products, leaving millions of Windows users to
contend with viruses and
other security issues that can compromise data and
networks.
The new flaw was discovered in Visual C++ .NET, also
called version 7,
and could affect any type of software program a
developer chooses to write
with the tool kit, according to Gary McGraw, chief
technology officer of
Dulles, Virginia-based Cigital Inc., a software risk
management consultancy.
The flawed feature was intended to allow developers
to provide greater
security to the software they write for Microsoft's
new .NET Web services
platform, announced by the company with fanfare on
Wednesday, he said.
"The feature was designed and implemented
incorrectly. Instead of
protecting, it doesn't do anything," said McGraw,
author of a book called
"Building Secure Software."
Specifically, the bug is in the software that compiles source code into
code the machine can
understand, he said, adding that the bug allows for a common type of
security vulnerability called a
"buffer overflow," which could allow a remote attacker to take control
of a computer.
<snip>
