“It appears to me that these format strings have been
present a very long time. A CERT advisory mentioned them being in
WuFTPD since 1993. Do you think attackers have known about them and
been using them? (This certainly would be a convenient
explanation for many mysterious unsolved break-ins.)”
“This is a very interesting question. It depends what you mean
by “attackers.” I doubt this problem was widely known in the
underground cracker community. When that is the case, the exploit
usually leaks to the public. I can happily entertain that a few
highly skilled individuals knew about this issue, though. Finally,
we should be wary of attributing any unsolved break-ins to format
string bugs. Even if a compromised site was running daemons
containing format string bugs, there is still the potential for
undiscovered security bugs which are not of a format string
nature.”
“As we know, string/buffer handling has traditionally been very
buggy. The most obvious example of buggy buffer handling is the
classic buffer overflow.”