Thursday, February 14, 2019

Most Security Bugs Are Memory Safety Issues

Catalin Cimpanu (via Hacker News):

Speaking at the BlueHat security conference in Israel last week, Microsoft security engineer Matt Miller said that over the last 12 years, around 70 percent of all Microsoft patches were fixes for memory safety bugs.

The reason for this high percentage is because Windows has been written mostly in C and C++, two “memory-unsafe” programming languages that allow developers fine-grained control of the memory addresses where their code can be executed. One slip-up in the developers’ memory management code can lead to a slew of memory safety errors that attackers can exploit with dangerous and intrusive consequences --such as remote code execution or elevation of privilege flaws.

1 Comment RSS · Twitter

I would hope this is the result of legacy code. C/C++ programmers have been aware of the risks for a couple decades now. Modern tools, best practices, and libraries greatly reduce the risk.

Leave a Comment