|
|
|||||||||||||
|
Technology - Reuters Internet Report |
|
Technology | Reuters | CNET | AP | Reuters Internet Report | ZDNet | TechWeb | USA TODAY | NewsFactor | The New York Times | MacCentral |
Fri Feb 15, 9:52 PM ET By Elinor Mills Abreu SAN FRANCISCO (Reuters) - Microsoft Corp. on Friday said charges that its new Web services development software contained a flaw leaving computers open to hacker attack were "unfounded," but admitted that the intended security feature in question had never been designed as a kind of silver bullet.
Chairman and founder Bill Gates (news - web sites) has staked the company's future on Web services and said computer users must know they can trust the security of Microsoft's offerings or they won't use them. The feature at issue is in Visual C++ .NET, which was released on Wednesday. It was added to a development tool kit so programmers could prevent common exploits known as buffer overflows, said Gary McGraw, chief technology officer of Dulles, Virginia-based Cigital Inc., a software risk management consultancy. In a buffer overflow, an attacker sneaks malicious codes onto a computer after overwhelming it with data. However, the feature was implemented incorrectly and fails to do what it is supposed to do, according to McGraw, co-author of a book called "Building Secure Software." "The Microsoft feature leads to a false sense of security because it is easily defeated," McGraw said. Microsoft released a statement on Friday saying those allegations were "unfounded" and "incorrect." The feature "provides an additional layer of security in the event that a programmer unknowingly develops a program containing a common coding error known as a buffer overrun," the statement said. NEVER CLAIMED IT WAS A PANACEA "Microsoft has never claimed that Buffer Security Checking is a panacea that eliminates all types of buffer overruns," the statement continued. "But Buffer Security Checking does help protect against the most important types of buffer overruns -- the types that are most commonly made and most often exploited." McGraw complained that Microsoft was changing its position in light of his findings, saying: "They're trying to get people lost in the technical weeds and not focused on the real issue." He pointed to a paper written late last year by a Microsoft engineer titled "How Visual C++.NET can Prevent Buffer Overruns" that he said shows they previously claimed the feature prevented the exploits. "All we have done is point out that the /GS feature is itself susceptible to attack and should not be relied on to improve software security," Cigital said in a posting to the Bugtraq e-mail list Friday. "The short term solution is quite simple: don't use the feature, or if you insist on using the feature at least know the risks!" Microsoft has long been criticized for releasing feature-laden products that are insecure, leaving millions of Windows users to contend with viruses and other security issues that can compromise data and networks. Security is of paramount concern with Web services which promise access to any software program from any device over the Internet. Critics have questioned how well Microsoft will be able to protect the security of the system given its track record with packaged software that isn't as integrated as Web services will be. Gates revealed the Redmond, Washington-based company's new mantra, "trustworthy computing" in a rare company-wide e-mail last month. Microsoft has also said that all of its software developers are being trained in how to build more secure products.
|
|
News Search |
Copyright © 2002 Reuters Limited. All rights reserved. Republication or redistribution of Reuters content is expressly prohibited without the prior written consent of Reuters. Reuters shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.
Copyright © 2002 Yahoo! Inc. All rights reserved. Questions or Comments Privacy Policy - Terms of Service |