John PescatoreApple, Cisco, Microsoft and Mozilla all had critical vulnerabilities come out this month – September will be a real patch-a-thon. Many of the vulnerabilities discovered were of the “malformed input” variety, where protocols or file handlers can be corrupted when specially crafted input is prepared – often enabling the attacker to run arbitrary code on the target machine.
Old-style buffer and heap overflow attacks, and SQL/command injection attacks for that matter, were simple forms of malformed input attack vectors. Those could largely be dealt with by strong variable typing on input. Malformed text documents or audio files are scary new examples – if the receiving software can behave unpredictably depending on the content of a memo or song it has serious deficiencies that are not going to be mitigated by input inspection.
Looks like a lot of this is driven by attackers using more advanced fuzzing tools that allow them to essentially brute force software to find inputs that cause unexpected behavior. While software vendors with advanced secure development life-cycles are using fuzzing tools themselves, this is another example where security can not be tested into software. The ball is now in the court of the application security testing vendors to demonstrate they can find these types of weaknesses when code is inspected prior to shipping.
Category: Uncategorized Tags:
0 responses so far ↓
There are no comments yet...Kick things off by filling out the form below.
Leave a Comment