Just hours after software giant Microsoft released its latest set of developer tools, Visual Studio .Net, a security firm publicised a technical flaw in the tools that could leave programs open to hacker attacks. Though the security risk is low because the tools have been released to developers only recently, the identification of the flaw comes as Bill Gates guides Microsoft through a 'Trustworthy Computing' campaign to emphasise the security of the firm's software. Among highly publicised security problems from last year were the Code Red and Nimda worms, which targeted Internet servers running Microsoft software. The company's operating systems and applications run on millions of computers worldwide, adding to Microsoft's allure as a target for hackers. United States-based Cigital identified the .Net security hole and published a brief detailing it this week. According to Cigital, Microsoft's C++ compiler, included in the .Net package, depends on a component that is meant to protect against a common type of hacker attack known as 'buffer overflow' but is itself vulnerable. Cigital said because the problems with the StackGuard component that Microsoft used were well known, 'Microsoft clearly has room for improvement'. The attacks Cigital used to defeat the Microsoft mechanism were neither novel nor required exceptional expertise, the brief said. 'Had Microsoft studied the literature surrounding StackGuard, they [Microsoft] would have been aware of the existence of such attacks,' Cigital said. In addition to the .Net flaw, a virus circulating on the Internet exploits security holes found in Microsoft's MSN Messenger and Internet Explorer browsing software. Dubbed the Cool worm, the virus appears as an instant message and asks users to 'Go To http://www.masenko-media.net/cool.html NoW!!!' Once the user clicks on the site, a Javascript program will download to the user's computer and the worm will mail itself to addresses in the computer's Messenger address book. The worm uses known security holes for which Microsoft released a downloadable patch. Network security experts were concerned because it spread so quickly through the use of an instant messaging (IM) program. Sophos anti-virus consultant Natasha Staley questioned the use of IM software on office computers. 'With an increasing number of worms infecting IM applications, managers should question whether they [IM applications] are really necessary in the workplace,' she said. Aside from MSN Messenger, other IM software, including America Online's AOL Instant Messenger and ICQ, also have been the target of computer viruses. The .Net tools, released in several computing languages, aim to help developers create software that will run on Windows and serve information to a variety of devices, including desktop computers, mobile phones and personal digital assistants. Later this year, Microsoft plans to introduce subscription services based on .Net and has built data centres to host the services. In conjunction with .Net services, Microsoft has been developing Passport, which supports digital identification and digital wallet functions, and has introduced aspects of it through its MSN Web site. A virus targeting .Net files was sent to anti-virus companies last month, long before .Net tools were launched.
