With Microsoft due to have its biggest ever patch Tuesday with 34 security flaws addressed, it got me thinking about buffer overflow exploits. At least two of the security problems to be fixed are due to weaknesses that allow stack overflow errors. Although buffer overflows have been around since as early as 1972, it wasn’t until 1999 that I really became aware of them. A company called eEye Digital Security released details of an exploit in IIS 4 that allowed you to open a remote shell on the targeted system over the HTTP protocol. If memory servers me correctly, there was a bit of a fuss at the time with Microsoft claiming the vulnerability was released to the public in an irresponsible way whereas eEye and others stated that without such ‘shock’ tactics, Microsoft wouldn’t treat the problem with enough urgency. Whatever the truth I got the distinct impression that Microsoft security notification service including how they credited 3rd parties suddenly got a lot better.
Perhaps the most famous exploit of a buffer overflow was the Code Red worm in 2001 which exploited a vulnerability in the Microsoft indexing software distributed in IIS. Although a patch had been available for over a month, many system administrators of public facing servers had failed to apply it or even disable the software if it wasn’t used. The positive aspect of the Code Red worm was the ‘wake up call’ it gave system administrators to correctly patch their systems.
There are many ways to protect against buffer overflows including a technique called Address Space Layout Randomization (ASLR) which is incorporated into Microsoft Windows 2008 and
Ultimately the best way to protect against buffer overflow is good programming from the most basic OS functions right up to application software.
The positive aspect of the Code Red worm was the ‘wake up call’ it gave system administrators to correctly patch their systems.
ReplyDeleteFall Protection Systems