| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Inaccurate Claims Regarding Visual C++ .NET Security Feature | |
|
||
| Time: 00:57 EST/05:57 GMT | News Source: Microsoft | Posted By: Robert Stein | ||
|
A newly released report makes a series of unfounded allegations about the security of Visual C++ .NET. The report is incorrect—the claimed security flaw simply does not exist, and Visual C++ .NET works correctly. However, the report has spawned a number of news articles and we have received many questions from customers about it. In response, Microsoft would like to provide additional information about the report and the feature it discusses below. The claims involve the operation of a feature in the Visual C++ .NET compiler (which ships as part of Visual Studio .NET). This feature, known as Buffer Security Checking, provides an additional layer of security in the event that a programmer unknowingly develops a program containing a common coding error known as a buffer overrun. Buffer overruns are a serious security threat, and have been implicated in many serious security vulnerabilities. Buffer Security Checking prevents some types of buffer overruns from being exploited, even if the programmer does happen to make such an error. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 146 Last | Next |
The time now is
8:23:03 PM
ET.
Any comment problems? E-mail us |
| #1 By 135 (209.180.28.6) at 2/20/2002 2:24:30 PM |
|
The difference is, Microsoft actually creates a product with some value.
|
| #2 By 135 (209.180.28.6) at 2/20/2002 2:25:58 PM |
|
This is what SANS had to say about Cigital's actions:
[Editor's (Murray) Note: It is hubris for hackers to believe that they have the right to decide how long a vendor has to fix a vulnerability that was not a problem before the hacker disclosed it. Not all vulnerabilities are problems. Not all problems are of the same magnitude.] |
| #3 By 2332 (129.21.145.80) at 2/20/2002 9:53:21 PM |
|
#6 - Ah, so people who don't read the documentation should blame the maker of the product when their implementation fails?
Great logic. The fact is that Microsoft had never claim the feature prevent all buffer overflows, only a subset of them. If the end user is too stupid to read the damn manual, the only person at fault is them. |
| #4 By 2332 (129.21.145.80) at 2/21/2002 5:40:50 AM |
|
#8 - The quote #6 provided shows that Cigital didn't read the documentation, and those developers who "come away with a false sense of security" also have neglected to read the documentation.
Microsoft clearly states that the feature is intended to aid in security, but does not prevent all buffer overflows from occurring, and should not be relied on to do so. The article suggests that Microsoft mislead developers into thinking otherwise, when they did not. In other words, the so called "broken buffer overflow protection mechanism" is not broken at all; it's doing exactly what Microsoft claims it does. The only people who wouldn't know that are those who did not read the documentation, hence my comments. "In any case, making degrading references and cussing hardly makes for intelligent discourse, nor does it make your argument any clearer or give it any additional weight." Well, I find that only anally retentive, hypersensitive individuals think that "damn" is a cuss. At any rate, cusses are words too, and are often useful in situations when one desires to express certain emotions regarding a subject. I wanted to express frustration, and I think the use of the word "damn" did that quite well. In addition, I intended my argument to be clear to those who understood the context. In other words, those who read both the initial Cigital release (from which #6's quote came from), and the article reference to by this news item. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 146 Last | Next |
The time now is
8:23:03 PM
ET.
Any comment problems? E-mail us |
