Stack and Heap Overflows: Different Animals
Stack overflows and heap overflows are different animals. Heap overflows are much more subtle, but there are some dev tools for you to use. Microsoft's David LeBlanc developed SafeInt class, a replacement integer class for which operators have been overwritten to force safe handling. (I always thought operator overriding was one of the stupider features of C++; this is the first compelling application I've seen of it.) There's also an intsafe library for C development. But even with such safeguards in place, things can go wrong. Want a good example of how wrong things can go? Consider this US Cert alert that talks about how C compiler optimizations can end up "optimizing away" code inserted to detect and prevent overflows. The alert was inspired by an actual problem in gcc, but any optimizing compiler should be inspected for this sort of problem. In fact, LeBlanc was concerned enough to check how SafeInt was handled. I'm not clear from his blog if he had a problem or not, but I think not.Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.
People at Microsoft tell me that the vulnerabilities they're finding these days, especially on old code, are very obscure and difficult to exploit. It's true that the overall numbers and overall severity of vulnerabilities in Windows is way down from what it was in previous years. They never claimed that they could eliminate all vulnerabilities or even all overflows. These things will always be with us, and it's a testament to how complicated software is these days that it can't be completely secured.