“Get reacquainted with the single biggest threat to software
security.”
“Buffer overflows accounted for over 50 percent of all major
security bugs leading to CERT/CC advisories last year… And the
data show that the problem is growing instead of shrinking…”
“Clearly, you would think by now that buffer overflow errors
would be obsolete. So why are buffer overflow vulnerabilities still
being produced? Because the recipe for disaster is surprisingly
simple. Take one part bad language design (usually in C and C++),
mix in two parts poor programmer practice, and you have a recipe
for big problems. Buffer overflows can happen in languages other
than C and C++, though without some incredibly unusual programming,
modern “safe” languages like Java are immune to the problem.”
“The root cause of buffer overflow problems is that C (and its
red-headed stepchild, C++) is inherently unsafe. There are no
bounds checks on array and pointer references, meaning a developer
has to check the bounds (an activity that is often ignored) or risk
encountering problems.”