“Microsoft Corp. is going on the offensive to restore confidence in its .Net platform after a security consulting firm claimed it had found a critical flaw in a new compiler Microsoft released earlier this week. In an unusual move, a member of the team that developed the product in question–the Visual C++.Net compiler–posted a lengthy message to the Bugtraq security mailing list excoriating Cigital Inc. for making what Microsoft deems to be false claims in its press release and inciting unnecessary concerns about the security of .Net applications built with the compiler.[..] Brandon Bray, a member of the product’s development team said: ‘The allegation that applications compiled with Visual C++’s /GS switch somehow expose themselves to more attacks is unfounded and patently false.'” Read the rest of the story at ExtremeTech.
Microsoft: .Net Security Fears ‘Unfounded’
2002-02-16 Privacy, Security 19 Comments
Why does the link to read the rest of the article point straight back to OSNews ?
Thanks for pointing it out. Fixed.
We all know that MSFT products are full of security flaws, .Net is probably no different but people use them anyway so…
I guess this release is a beta.
We should wait for at least 2 service packs before going into production.
Or stupid because use that crap or forced by stupid to use that crap..
the result is the same.
so where are the comments by the linux people about how everyone can avoid insecure inferior microsoft products by using linux rewrites?????
as if tuff written by people in their free time can outperform top paid legions of programmers! at least the documentation doesn’t start with: sorry but englih isn’t my native language!!!!!
“Or stupid because use that crap or forced by stupid to use that crap.. the result is the same. ”
If you’re so intelligent, why don’t you enlight us by giving alternatives that are equivalent in functionnalities than .NET ? I have no problem with people against .NET, I just need some *points* and *arguments* to debate on.
Just vomiting this kind of stupid sentence serve only one thing: make you look like a moron.
Is that /GS switch valid anyway when generating MSIL code? I mean, the CLR will do the checks then instead of the native code when being unmanaged code.
“I have no problem with people against .NET, I just need some *points* and *arguments* to debate on.”
Well here are some points and arguments to chew on. In all appearences to me as I read about .NET, it just seems to be an attempt to take Sun out. Nothing about .NET is new or innovative. It works nearly identically to Java, and actually will actually take Java code and compile it into a program that won’t run on Sun’s runtime interpreter. I like Java for the language, but I hate the intermediate bytecode part of the equation. The world doesn’t need another bytecode/interpreted language so that you need a computer 4x faster than would be needed otherwise. GNU is working on a compiler that takes Java and compiles it into native machine code, however, Sun has managed to make the language so dependant on the interpreter and class libraries that the Java the language is useless without them. In fact Java is almost an operating system in itself running on top of another operating system. How much more inefficient can you get than that? Seems the faster the computer becomes, the more ineffiently it is utilized.
To close, .NET is nother more than a cheap attempt to take out Sun. The world doesn’t need another Java, and it certianly doesn’t need another propietary programming language; especially if it’s owned by Microsoft.
“In fact Java is almost an operating system in itself running on top of another operating system. How much more inefficient can you get than that? ”
Aaahh ! Thanks for your arguments ! 🙂
You talk about Java interpreter being almost an OS on top of an other OS. Is .NET not supposed to change that, by using Windows .NET so you have just 1 layer of OS ?
So, as I understand it (correct me if I’m wrong) any other OS wishing to support .NET will need to proceed like for Java: a bloated layer over an OS.
At the end: Windows is the big winner, because it’s the only one system natively .NET, and not bloated by numeral layers on top of each others ? Man, if it’s right, I have to say again Gates is a hell of a business (mad) genius… 🙂
Sun wanted to made JavaOS, remember?
Why who ? Why what ?
Sun has managed to make the language so dependant on the interpreter and class libraries that the Java the language is useless without them.
Well, I think that just about any language is dependent on libraries. What’s wrong with that?
Java is not useless without the JVM. On the Windoze platform, if you want speed, there are native code compilers for Java. I downloaded Jet from Excelsior. For a quick test, I ran a simple Java program that prints all primes from 2 to 1,000,000 (posted on /.). Using the JDK, it took 185 seconds on my PC to complete. After converting the .class file to a native Windows .EXE file with Jet, it took 106 seconds. That was 2 seconds faster than with C#.
Let’s not forget the reasons for Java in the first place: server apps and cross-platform client code.
Efficiency takes many forms, and can’t be measured only on how close to the metal the code runs. Programmer productivity means a lot. Java gives that, and so will .NET (especially if Mono succeeds).
I think some people are confusing .NET (which is a rewrite of the Microsoft API and a move to XML based web services) with C#, which is a language introduced alongside .NET but not a prerequisite to .NET (as I understand it). You don’t have to program in C# to implement .NET into your systems. In fact, the concept of a common intermediate language is very similar to the JVM theory, but JVM is still pretty slow. Microsoft has made many smart choices recently – as much as I hate their politics, I love their new products and I believe that eventually, .NET will be successful and worthwhile. Sun needs to step it up if they want to compete (maybe sunLinux will help them find a new niche).
I read both posts to bugtraq and it seems to me this is one of those cases where a reporter is trying to make a story. Basically the way I read the posts was Chris Ren of Cigital.com is saying that the Microsoft added safeguards aren’t perfect and the Microsoft developer saying, of course they aren’t, but they help.
They’re introducing the .NET Framework now already to get programmers to move on it for Blackcomb. As I heard it’ll be Blackcombs native API.
So, Microsoft is instrumenting some safeguards at the compiler level that help diagnose some runtime errors? And someone is complaining about it because it doesn’t catch all errors?
So, someone issues a press release because it is possible to write buggy code with the latest VC++?
I don’t know what Citical has been smoking, but I’d really like to have some of it!
Hint to Citical : the reason why people use C/C++ against Java/C# is exactly because it does *not* do the kind of checking that would be needed to prevent buffer overruns.
“Hint to Citical : the reason why people use C/C++ against Java/C# is exactly because it does *not* do the kind of checking that would be needed to prevent buffer overruns. ”
Yes ! And let the programmers the CHOICE to decide where in the code need critical error checking, and where to optimize for speed when security is less critical.
Fine for Banks transactions programs, but you can’t do a powerfull 3D engine with such default error checkings …
Do you really think that Microsoft would put out a program that didn’t have them? Let’s look at the list of security flawed MS products:
DOS (all versions)
Windows (all versions – NT based systems being much better)
All products that support VB for Applications (Word, Excel, Outlook, etc.)
and so on. Just add .NET to the bottom of the list.