Around 70 percent of all the vulnerabilities in Microsoft products addressed through a security update each year are memory safety issues; a Microsoft engineer revealed last week at a security conference.
Memory safety is a term used by software and security engineers to describe applications that access the operating system’s memory in a way that doesn’t cause errors.
Memory safety bugs happen when software, accidentally or intentionally, accesses system memory in a way that exceeds its allocated size and memory addresses.
Users who often read vulnerability reports come across terms over and over again. Terms like buffer overflow, race condition, page fault, null pointer, stack exhaustion, heap exhaustion/corruption, use after free, or double free –all describe memory safety vulnerabilities.
Speaking at the BlueHat security conference in Israel last week, Microsoft security engineer Matt Miller said that over the last 12 years, around 70 percent of all Microsoft patches were fixes for memory safety bugs.
The reason for this high percentage is because Windows has been written mostly in C and C++, two “memory-unsafe” programming languages that allow developers fine-grained control of the memory addresses where their code can be executed. One slip-up in the developers’ memory management code can lead to a slew of memory safety errors that attackers can exploit with dangerous and intrusive consequences –such as remote code execution or elevation of privilege flaws.
Memory safety errors are today’s biggest attack surface for hackers, and attackers appear to be capitalizing on their availability. According to Miller’s presentation, use after free and heap corruption vulnerabilities continue to be the preferred bugs when attackers are developing exploits.
Furthermore, as Microsoft has patched most of the basic memory safety bugs, attackers and bug hunters have also stepped up their game, moving from basic memory errors that spew code into adjacent memory to more complex exploits that run code at desired memory addresses, ideal for targeting others apps and processes running on the system.
Related security coverage: