The security holes exploited by Code Red and Nimda, worms that experts said had the potential to knock the entire Internet offline, attacked long-standing vulnerabilities in Microsof's IIS (Internet Information Services) Web server software caused by a type of error made through bad code writing: the buffer overflow.
A buffer overflow occurs when the amount of memory assigned to a specific application or task is flooded, often with unpredictable results. Frequently, however, buffer overflows allow attackers to run any code they choose on a target machine.
When Code Red and Nimda struck last year, many security experts were left to wonder why the vulnerabilities hadn't been patched. A better question to ask might be why buffer overflows, a class of error that has been known and avoidable for at least 30 years, are still cropping up with great regularity in modern software?
Buffer overflows have already made their presence widely felt in 2002. Microsoft issued patches to fix them in February. Database maker Oracle had multiple buffer overflows identified in its products in early February. Sun's Solaris operating system had one in January.
A combination of pressures exerted by companies and consumers, educators and students, merge to create a situation in which the techniques that can be used to stop persistent security holes, like buffer overflows, are known but aren't used or taught nearly enough. Consumers say they want security, but instead buy cheaper products with more features. As a result, vendors have less incentive to create more secure products and in turn colleges and universities, the bodies that supply vendors with talent, see little demand from companies for more security skills in their students.
This matrix of factors, one that touches on nearly every aspect of the computer industry, makes buffer overflows a common problem.
A number of colleges and universities known for their computer science programs offer, at best, only the most basic security classes, and few on writing secure code.
At Carnegie Mellon University (CMU), "I don't think security as defence against malicious attacks is ever explicitly covered", in the first two years of an undergraduate degree, said Jim Morris, the dean of the School of Computer Science at CMU.