Women in Technology

Hear us Roar



Article:
  What .NET Got Right
Subject:   The Microsoft Security Bugbear
Date:   2002-02-11 19:48:58
From:   nzheretic
The problem is that .NET is still based on the Microsoft platform which inherits Microsoft's past attitude to the priority of security.


Sure, the CLR provides a sandboxed enviroment using methord call type and argument checking, preventing buffer overflow and misstype attacks, but it does not provide much protection for failure in application/program logic of the underlying DDLs and Servers. For example, type checking would not provide protection against malformed URLs passed to IE.


See "Meet the future of Windows security exploits
"


http://www.theregister.co.uk/content/archive/23075.html


Even Bill Gates acknowledged this issue in his recent "leaked" email.


http://www.infowarrior.org/articles/2002-02.html#memo


Quote
"As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable. Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers' view of us as a company."
Unquote


If you say that this issue must also effect Java on the Microsoft platform, well, yes it does.
However, from what I have seen of the C# and CLR interfaces,SUN's Java accesses external interfaces though a higher level of abstraction. This provides a small measure of protection against potental failings in the externel application logic.