Hole in just-released Visual Studio

1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User

Welcome to IWETHEY!

Post #28,375 by Steve Lowe 2/14/02 1:33:47 PM Reply	Hole in just-released Visual Studio [link\|http://story.news.yahoo.com/news?tmpl=story&u=/cn/20020214/tc_cn/flaw_spotted_in_new_microsoft_tool&cid=70\|Here] The security problem is said to lie with the compiler that accompanies the new Visual C++.Net ... Software security company Cigital says the compiler contains a flaw that can allow an attack called a "buffer overflow" to be initiated. confidence inspiring, ain't it. ----- Steve
Post #28,390 by altmann 2/14/02 2:50:17 PM Reply	Actually ... ... it is more like "feature in C++ native code compiler (ie: not C#, VB, or Managed C++) that is supposed to reduce the risk of code with buffer overflows is weak and can be bypassed." In other words, native compiled C++ code is no safer than it was before. It'll be more interesting when the managed code security bugs start popping up. A better overview is [link\|http://www.cigital.com/news/mscompiler-tech.html\|here] -- Chris Altmann
Post #28,626 by static 2/16/02 5:25:08 AM Reply	Wrong fix. Which is typical, but I'm not surprised. Unbounded functions like strcpy and sprintf should be quarantined in their own library that tools do not link automatically. Unfortunately, doing this would probably break many things. Imagine how much flack Microsoft would get if they tried this. Mind you, the security experts would probably appreciate it. Wade. "All around me are nothing but fakes Come with me on the biggest fake of all!"

Hole in just-released Visual Studio - (Steve Lowe) - (2) - Feb. 14, 2002, 01:33:47 PM EST

Actually ... - (altmann) - Feb. 14, 2002, 02:50:17 PM EST

Wrong fix. - (static) - Feb. 16, 2002, 05:25:08 AM EST

Fear my pink line.
77 ms