Visual Studio security already questioned

A feature in Microsoft's new Visual tool to reduce buffer overflow programming errors has been found to contain...

A feature in Microsoft's new Visual tool to reduce buffer overflow programming errors has been found to contain problems.

The development tool includes a feature called StackGuard designed to protect against buffer overflows caused by hackers in an attack.

However, according to Gary McGraw, chief technology officer at Cigital, a security consultancy: "The protection mechanism itself is susceptible to a buffer overflow attack."

McGraw suggested that developers who make use of the feature could come away with a false sense of security. "Malicious hackers can then exploit the software once it is fielded, leaving unsuspecting users completely exposed," he warned

The rest of the Visual C++ .Net and Visual C++ Version 7 compiler is fine from a security standpoint, McGraw said.

Microsoft expressed concern that Cigital publicly aired the claim so quickly without giving it any time to respond. Typically, companies that discover security give vendors up to a few weeks to resolve the issues. Microsoft described the flaw as "a transparent publicity grab".

Cigital said it chose to announce the alleged flaw immediately because it could have allowed developers to create flawed applications without knowing about the problem.

"This was a preventable step because they don't have to use that feature in the compiler," a spokeswoman commented. "If we can prevent that, everybody's better off."

Security analysts, however, appeared uncomfortable with Cigital's reporting procedures.

Eric Hemmendinger, an analyst at Aberdeen Group said: "I question somebody's motives when they jump the gun".

Charles Kolodgy, an analyst at IDC agreed. "You always tell the other company before you make an announcement," Kolodgy said.

The disclosure could not have come at a worse time. Last month, Microsoft chairman Bill Gates issued a memo to all company employees urging them to make "trustworthy computing" their highest priority.

The first product to come out of this strong security effort was, in fact, Visual Studio.

News of this particular flaw, so soon after the product's launch, is clearly an embarrassment for the software giant and puts into doubt the company's ability to deliver the security underpinning outlined by Gates.

Read more on IT risk management