CertiGuide to Security+  9  Chapter 2:  Communication Security (Domain 2.0; 20%)       9  2.3  The Web            9  2.3.4.2  ActiveX

2.3.4.2  ActiveX 1 2 3 2.3.4.4  Cookies

Why Do They Occur?

As we mentioned earlier, this is not a new problem. The first high-profile buffer overflow exploit occurred in 1988, as part of the Morris Worm.

It seems like new buffer overflows are being discovered multiple times a week these days – in web servers, database servers, compressor libraries, scripting languages. No code seems really immune to the problem, for multiple reasons:

Programmers don’t always write perfect code (why else do you think we keep urging you to stay up-to-date with patches and updates?)

Today’s systems are made up of so many layers of program code, often supplied by half a dozen or more different sources, that it’s as difficult to know what’s going on under the hood of a program as it is to know exactly what’s going on under the hood of your car, with the hood down. A programmer might know the code they wrote, but three layers down is another piece of code written by a different company that is called by another part of the program again not written by our hapless programmer, which passes data in a careless way and causes the overflow.

What to do? If you deploy internally written web applications, do make sure that your programmers are educated as to the pitfalls of buffer overflows in code and how to avoid them, and, of course, stay up-to-date on patches and updates for your web-related software. Some excellent sources on writing secure code are discussed in section 1.4.12; we won’t repeat them here.

2.3.4.2  ActiveX 1 2 3 2.3.4.4  Cookies