A compiler included in Microsoft's newly announced Visual C++ .Net is vulnerable to buffer overflow attacks, security firm Cigital warned this morning.
"The Microsoft compiler was specifically enhanced with a feature meant to protect potentially vulnerable source code automatically from certain forms of buffer overflow attack," according to the Dulles, Va.-based company's warning. "Because the protection mechanism itself is susceptible to a buffer overflow attack, developers who make use of the feature may come away with a false sense of security and unintentionally discount critical implementation problems. Malicious hackers can then exploit the software once it is fielded, leaving unsuspecting users completely exposed."
Microsoft couldn't be reached for comment this morning. Company spokesman Jim Desler told The Wall Street Journal that Microsoft was in the process of investigating the charge. "This appears to be a relatively narrow and technical deficiency," Desler said.
Buffer overflows allow attackers to send certain types of data to software, causing a program to execute malicious code.
The news comes a month after Microsoft Chairman Bill Gates issued a memo to all company employees urging them to make "trustworthy computing" their highest priority.