Microsoft has revealed a staggering 90 vulnerabilities in its products, including a critical code execution flaw in Windows. The vulnerability, CVE-2024-38063, carries a severity score of 9.8 out of 10 and could have allowed an attacker to gain full control over any internet-connected Windows system.
The cause of the vulnerability is memory errors, which occur when software attempts to access data it shouldn’t or executes something that wasn’t intended to be executable. This is a common issue in popular system-level languages like C/C++, which aren’t designed to prevent memory errors or check for them automatically.
The revelation comes as AI tools make it easier to search for bugs in existing code, increasing the likelihood of similar vulnerabilities being discovered. A recent incident involving CrowdStrike’s software led to crashes across millions of Windows machines, highlighting the need for memory-safe languages like Rust, Go, and C#.
Many vendors are transitioning to these languages due to their performance parity with C and C++ in systems-level software. Governments and standards bodies are already murmuring about requiring the use of memory-safe languages in critical systems in the coming years.
The root cause of many vulnerabilities is not a lack of skill among developers but rather that software rots over time, with new people modifying existing code. This can lead to bugs being introduced or old ones being overlooked.
AI will exacerbate this issue by accelerating bug discovery. Efforts are underway to train AI tools to recognize familiar classes of bugs, and intelligence agencies are likely working on similar projects.
To mitigate the risks, it’s essential to review IT systems and languages used in them. Companies should prioritize memory-safe languages like Rust and plan to adopt them if their vendors don’t already use them. Remember, a security patch can only go so far; a bullet-proof vest (like Rust) is needed to limit damage caused by vulnerabilities.
Source: https://builtin.com/articles/memory-safe-code