Simple Quality Problem Now A Security Problem

New hacking technique exploits common programming error:

Researchers at Watchfire Inc. say they have discovered a reliable method for exploiting a common programming error, which until now had been considered simply a quality problem and not a security vulnerability.

Jonathan Afek and Adi Sharabani of Watchfire stumbled upon the method for remotely exploiting dangling pointers by chance while they were running the company’s AppScan software against a Web server. The server crashed in the middle of the scan and after some investigation, the pair found that a dangling pointer had been the culprit. This wasn’t a surprising result, given that these coding errors are well-known for causing crashes at odd times. But after some further experimentation, Afek and Sharabani found that they could cause the crash intentionally by sending a specially crafted URL to the server and began looking for a way to run their own code on the target machine.

Funny, most security holes exploit a common software problem: developers wrote it.

Suddenly, all of those issues marked not reproducible or low priority (fix when hell freezes over) would suddenly get new importance. Never mind that, developers, you better check Woot! right now, or you could miss a deal!

Comments are closed.

wordpress visitors