Dive Brief:
- About 70% of security patches administered by Microsoft over the last 12 years are due to memory safety issues, according to Microsoft security engineer Matt Miller, speaking at BlueHat security conference, reports ZDNet.
-
Windows is predominantly written in C and C++, which are "memory-unsafe" languages, according to Miller. Any accidental tweaks in memory management code can render a memory safety vulnerable, affording bad actors opportunities for exploitation.
-
Memory safety errors can lead to "intrusive consequences," including remote code executive or elevation of privilege flaw, according to ZDNet.
Dive Insight:
A memory safety vulnerability is a processing error which can cause issues like "marking memory as free even though it's actually still in use," Mike Hamburg, researcher and engineer for Cryptography Research, told CIO Dive in an email.
Unlike last year's Meltdown and Spectre, where memory could be accessed, "this is often a more serious problem," said Hamburg, because "in the worst case it can allow an attacker to directly take control of the program."
The widespread presence of memory safety errors make it easier and more desirable for bad actors to target. Memory safety vulnerabilities can unintentionally be disguised under several names, like "buffer overflow" or "use after free," according to Programming Languages Enthusiast.
These bugs are inherent in programming languages like C and C++, Thomas Prescher, security architect for Cyberus Technology, told CIO Dive in an email. "The programmer has to think about how memory is allocated and used," which makes it memory-unsafe. Java or Python, however, are memory-safe and provides "a runtime that takes care of that."
More sophisticated languages have surpassed C, yet it remains dominant. Operating systems written in memory-unsafe code are done so "because they do not provide so many levels of abstraction and make it easy to access," said Prescher.
Developers often turn to C as an alternative to using languages that memory-safe doesn't provide, but what's sometimes forgotten or ignored is the ability to write an application in a memory-safe language while reserving some performance aspects to C.
Programming languages have a tendency to overstay their anticipated lifecycle. C and C++ are not expected to retire anytime soon. Older languages, like Racket, remain in the wild. Though it's rare to see antiquated languages still in use, companies face the issue of maintaining legacy systems relying on old languages.