A key Microsoft development tool launched last week could create business software that is vulnerable to hacking, an IT security company has warned.
A fault in the C++ compiler in Visual Studio .net has prompted risk management software firm Cigital to warn that executable code built by the compiler will be vulnerable to buffer overflow attacks - one of the vulnerabilities that hackers most commonly exploit.
Gary McGraw, Cigital's chief technology officer, said the protection mechanism in Visual Studio .net, which is supposed to eliminate certain buffer overflows, is itself susceptible to a buffer overflow attack.
This means that when the code is changed from the program script written by the developer into the numeric code that the microprocessor understands - a process known as compilation - the flaw in the software may result in similar flaws being overlooked in the code.
Stuart Okin, chief security officer at Microsoft UK, is annoyed at how the news was leaked. "Anyone who discovers a security problem should first go to the supplier to give it a chance to respond. It is irresponsible to make a vulnerability public before a patch is available. Microsoft is investigating the claim and will respond accordingly," he said.
Because most developers make buffer overflow errors in their programs at one time or another, Microsoft has not been singled out for its failings, despite the company's recent vow to put security before all else.
Kenneth De Spiegeleire, manager of security assessment at Internet Security Systems, said, "It must be embarrassing to Microsoft to have a buffer overflow problem in its buffer overflow protection. These are not always easy to pick up and you cannot rely on security scanners to pick up every case. The software has to be examined manually and even then human error is always possible."
What is a buffer overflow attack?
When a computer program takes input from, for example, a keyboard, the data has to be stored somewhere in its memory. Developers direct the input to a fixed memory space called a buffer.
The input is expected to be a particular length but sometimes the developer omits the necessary checks to examine the length of the input and truncate it if it is too big for the buffer.
Hackers will type longer and longer inputs to see what happens when the buffer input overflows into neighbouring memory. Sometimes the system crashes but at other times it corrupts the code and, with a specially malformed input, new code can be injected into the application that allows the hacker to take control of the system or gain administrator-level access to the network.