SecurityFocus: Format String Attacks | Linux Today

SecurityFocus: Format String Attacks

Written By
Web Webster
Web Webster
Sep 17, 2000

“The cause and implications of format string vulnerabilities are
discussed. Practical examples are given to illustrate the
principles presented.”

Format string bugs come from the same dark corner as many
other security holes: The laziness of programmers.
Somewhere
out there right now, as this document is being read, there is a
programmer writing code. His task: to print out a string or copy it
to some buffer. What he means to write is something like:

    printf("%s", str);

but instead he decides that he can save time,
effort and 6 bytes of source code by typing:

    printf(str);

Why not? Why bother with the extra printf argument
and the time it takes to parse through that silly format? The first
argument to printf is a string to be printed anyway!
Because the programmer has just unknowingly opened a security hole
that allows an attacker to control the execution of the program,
that’s why!”


Complete Story

Web Webster

Web Webster

Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.

Linux Today Logo

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.