Microsoft Web toolkit has security loophole: Expert

CIOL Bureau
New Update

Elinor Mills Abreu


SAN FRANCISCO: A security expert said on Thursday that a feature that was added to make Microsoft Corp.'s new Web services development tool kit more secure would actually leave the software open to attack from hackers.

The discovery comes as the software giant puts a greater emphasis on security in the hopes that computer users will feel comfortable using its new Web services, which promise access to any software program from any device over the Internet.

Microsoft has long been criticized as sacrificing security for functionality in its products, leaving millions of Windows users to contend with viruses and other security issues that can compromise data and networks.


The new flaw was discovered in Visual C++ .NET, also called version 7, and could affect any type of software program a developer chooses to write with the tool kit, according to Gary McGraw, chief technology officer of Dulles, Virginia-based Cigital Inc., a software risk management consultancy.

The flawed feature was intended to allow developers to provide greater security to the software they write for Microsoft's new .NET Web services platform, announced by the company with fanfare on Wednesday, he said.

"The feature was designed and implemented incorrectly. Instead of protecting, it doesn't do anything," said McGraw, author of a book called "Building Secure Software."

Specifically, the bug is in the software that compiles source code into code the machine can understand, he said, adding that the bug allows for a common type of security vulnerability called a "buffer overflow," which could allow a remote attacker to take control of a computer.


In a buffer overflow attack, a hacker sneaks a malicious code onto a computer at a time when it is overwhelmed with data. Microsoft was not immediately available to comment on Thursday. McGraw said he had talked with several Microsoft officials and they had admitted to him that there was a security flaw.

McGraw said Microsoft could fix the bug in the next version of the tool kit and, in the meantime, advise developers to not use the feature in writing their software programs. Last month Microsoft Chairman Bill Gates sent an e-mail to all his employees directing them to focus on security and "trustworthy computing" above all else.

"It's doubly ironic," McGraw said of the new security bug. "It's not only a flaw but a security feature flaw." However, he said he feels Microsoft is doing the right thing with its security push.

"The problem is you can't build security into the side, you have to train people," he added. "I believe Microsoft does want to do a better job; it's just going to be a challenge."