AccessMyLibrary provides FREE access to over 30 million articles from top publications available through your library.
Create a link to this page
Copy and paste this link tag into your Web page or blog:
A software risk management consultancy by the name of Cigital claims the protection mechanism in Microsoft's Visual C++.NET compiler is vulnerable to attack.
The mechanism is called /GS and is there to handle buffer overflows, the cause of a lot of Microsoft's security woes.
Cigital warns against using it. It claims /GS resembles a piece of third-party widgetry called StackGuard and it takes a dim view of StackGuard. "The StackGuard mechanism makes a poor efficiency/security tradeoff, especially as implemented in Microsoft's compiler," it says.
Microsoft claims /GS has nothing to do with StackGuard.
Cigital took impetus from a white paper written last year by Microsoft developer Brandon Bray called "How Visual C++.NET can prevent buffer overruns." Cigital thinks the title is misleading and overpromises. It claims developers might be lulled into a false sense of security and rely on the /GS feature to protect their code.
In response, Microsoft has pulled Bray's piece off the MSDN developers' web site for "updating" and the company concedes, "The title is probably not the best title in the whole world."
...Source: HighBeam Research, VC++.NET Compiler Called "Vulerability Seeder".