Information Security News mailing list archives
RE: Unsafe at any speed: Memcpy() banished in Redmond
From: InfoSec News <alerts () infosecnews org>
Date: Mon, 18 May 2009 00:42:18 -0500 (CDT)
Forwarded from: Michael Howard <Michael.Howard (at) microsoft.com> Brilliant ending It also wondered aloud when "Larry, Steve, and Linus" plan to issue similar security edicts in their products. It's a question worth asking. (r) -----Original Message----- From: InfoSec News Sent: Friday, May 15, 2009 2:40 AM Subject: [ISN] Unsafe at any speed: Memcpy() banished in Redmond http://www.theregister.co.uk/2009/05/15/microsoft_banishes_memcpy/ By Dan Goodin in San Francisco The Register 15th May 2009 Memcpy() and brethren, your days are numbered. At least in development shops that aspire to secure coding. Microsoft plans to formally banish the popular programming function that's been responsible for an untold number of security vulnerabilities over the years, not just in Windows but in countless other applications based on the C language. Effective later this year, Microsoft will add memcpy(), CopyMemory(), and RtlCopyMemory() to its list of function calls banned under its secure development lifecycle. Memcpy has long served as a basic staple of C-based languages, providing a simple way to copy the contents from one chunk of memory to another. Its drawback comes when the source to be copied contains more bytes than its destination, creating overflows that present attackers with opportunities to remotely execute code in the underlying application. "That's definitely one of those notoriously dangerous C commands," said Johannes Ullrich, CTO of the SANS Institute, who teaches secure coding classes to developers. He likened memcpy() to other risky functions such as strcpy() and strcat(), which have Microsoft has already banned after exacting untold misery over the years. [...] -- LayerOne 2009, Information Security for the discerning professional. May 23-24 2009 @ The Anaheim Marriott in Anaheim, California Visit http://layerone.info for more information -- LayerOne 2009, Information Security for the discerning professional. May 23-24 2009 @ The Anaheim Marriott in Anaheim, California Visit http://layerone.info for more information
Current thread:
- Unsafe at any speed: Memcpy() banished in Redmond InfoSec News (May 15)
- <Possible follow-ups>
- RE: Unsafe at any speed: Memcpy() banished in Redmond InfoSec News (May 17)