It used to be that buffer overflows were just a nagging 40-year-old glitch in the software development process. Today, as illustrated by Code Red, they are the No. 1 reason hackers can slice through corporate networks like Swiss cheese.
A buffer overflow occurs when someone inputs more data into a field than that field expects. The text that spills over can then be executed on the computer. “In laymens terms, it means your toilets stopped up and theres stuff everywhere,” explained Fred Stangl, an independent software developer in Langhorne, Pa.
According to the Computer Emergency Response Team, more than 50 percent of the vulnerabilities found in operating systems are due to buffer overflows, and many are attributable to Microsoft technology.
Microsofts software was developed for desktops, where buffer overflows are a minor problem. But with the same desktops now attached to the Internet, the problems can leave a gaping hole for hackers to climb through, critics say.
The problem has been so epidemic that a frustrated Microsoft President Steve Ballmer recently stormed into a customer meeting and complained about buffer overflows, which the company is attacking through its Secure Windows Initiative.
But scanning millions of lines of code to fix the problems is not an easy task, said Mike Corby, vice president of Netigy. “The code is so large and so complicated and written by so many different people, its impossible to prevent these things.”
“Software is still written by people, and buffer overflows is an issue that affects the [entire] industry,” explained Christopher Budd, a Microsoft program manager.
David Harrah, group manager of Java, a product of Microsoft rival Sun Microsystems, blamed Microsofts programming languages.
“The fundamental difference is that Java was developed as a network application platform and language,” Harrah said.