http://story.news.yahoo.com/news?tmpl=story&cid=581&u=/nm/20020214/tc_nm/tech_microsoft_security_dc_22
Microsoft Web Toolkit Has Security Loophole -Expert Thu Feb 14, 2:43 PM ET By Elinor Mills Abreu SAN FRANCISCO (Reuters) - A security expert said on Thursday that a feature that was added to make Microsoft Corp.'s new Web services development tool kit more secure would actually leave the software open to attack from hackers. The discovery comes as the software giant puts a greater emphasis on security in the hopes that computer users will feel comfortable using its new Web services, which promise access to any software program from any device over the Internet. Microsoft has long been criticized as sacrificing security for functionality in its products, leaving millions of Windows users to contend with viruses and other security issues that can compromise data and networks. The new flaw was discovered in Visual C++ .NET, also called version 7, and could affect any type of software program a developer chooses to write with the tool kit, according to Gary McGraw, chief technology officer of Dulles, Virginia-based Cigital Inc., a software risk management consultancy. The flawed feature was intended to allow developers to provide greater security to the software they write for Microsoft's new .NET Web services platform, announced by the company with fanfare on Wednesday, he said. "The feature was designed and implemented incorrectly. Instead of protecting, it doesn't do anything," said McGraw, author of a book called "Building Secure Software." Specifically, the bug is in the software that compiles source code into code the machine can understand, he said, adding that the bug allows for a common type of security vulnerability called a "buffer overflow," which could allow a remote attacker to take control of a computer. <snip>