Press ReleaseCigital Warns of Security Flaw in Microsoft .NET Compiler
Testing on Company's Next Generation Security Product reveals MS Flaw
DULLES, Va., February 14, 2002—Cigital, Inc. the software risk management (SRM) solution provider that helps companies protect themselves from the business risks of software failure, today announced the discovery of a design-level flaw in a security feature included in Microsoft's Visual C++.NET and Visual C++ version 7 compiler. The defect, which leaves executable code built by the compiler vulnerable to a buffer overflow attack, was uncovered in Cigital Labs during testing of Cigital's soon-to-be-released security assessment product. The Microsoft compiler was specifically enhanced with a feature meant to protect potentially vulnerable source code automatically from certain forms of buffer overflow attack. Because the protection mechanism itself is susceptible to a buffer overflow attack, developers who make use of the feature may come away with a false sense of security and unintentionally discount critical implementation problems. Malicious hackers can then exploit the software once it is fielded, leaving unsuspecting users completely exposed. Cigital CTO and author of Building Secure Software, Gary McGraw says, "There is no 'just add water' solution for software and application security, especially at the design level. The fact that even security features such as Microsoft's broken buffer overflow protection mechanism fall prey to security problems demonstrates the challenge we face. Cigital Labs' discovery shows why relying on a runtime compiler feature to protect against certain types of attacks is not sufficient. All developers and architects should put in place a rigorous software security regimen that includes source code review. Computer security hangs in the balance." "In January 2002, Bill Gates outlined Microsoft's Trustworthy Computing initiative. This flaw's existence serves to emphasize how much hard work it takes to build secure and reliable software. There is much more to software security than simply demonstrating the right attitude," states Jeffery Payne, president and CEO of Cigital. "Designing and building software that works requires foresight and expertise. Developers and architects must be educated, trained and armed with the right tools. At Cigital, we built our business on understanding how to identify and manage these types of software risks." Cigital adheres to a 3-pronged approach when working with clients to deliver trustworthy software:
About Cigital Headquartered in Northern Virginia, Cigital is the leading authority and industry visionary on software risk management (SRM). Founded in 1992 on the simple, compelling premise that software must work, Cigital helps companies identify, analyze and reduce the risks of software failure—making their business operations and products more reliable, safe and secure. The Company delivers consulting services, products and training backed by the Cigital AdvantageSM, a methodological approach to full lifecycle SRM that is grounded in research and proven in practice. The constant innovation of its world-renowned Cigital Labs keeps Cigital at the forefront of software development and deployment, helping to solve the problems that affect businesses now, and anticipate and avoid potential future trouble spots. With additional offices in Boston and Los Angeles, Cigital helps companies get their software under control so they can take charge of their business. Learn more about Cigital on the Web at http://www.cigital.com.
Contact: |