Microsoft has eradicated buffer overflows with Windows XP, following a source code security audit, group veep Jim Allchin claimed during a keynote at the Intel Developers Forum in San Jose.

A buffer overflow, which may cause a system or process to crash, happens when a program or process attempts to store more data in a buffer than intended. This is very useful for hackers because it enables them to create specially formatted malformed requests which will overflow a buffer and leave their code at parts on the system where it might subsequently be executed.

Buffer overflows first came to prominence with the Morris worm in 1988 and are still causing trouble even now. Variants of the Code Red worm exploited a buffer overflow flaw in the indexing service DLL of Microsoft's IIS Web server.

As a CERT advisory (http://www.cert.org/incident_notes/IN-2001-13.html) explains, IIS Web server on beta versions of Win XP were among those vulnerable to the problem.

It could be assumed elementary testing or code review would pick up buffer overflow problems in practice it is much more difficult.

A quick search revealed few published references on the prevention of buffer overflow problems, an occupational hazard of software programming that is not peculiar to Redmond. For that reason it'll be interesting to see the results of Microsoft's work." ®

Related Stories

Unique ID is built into WinXP final build (http://www.theregister.co.uk/content/4/21307.html)
Sun cries wolf over Windows XP (http://www.theregister.co.uk/content/4/21285.html)
Serious Outlook hole patched (http://www.theregister.co.uk/content/4/21197.html)
Buffer the FTP Slayer (http://www.theregister.co.uk/content/archive/18224.html)
BIND holes mean big trouble on the Net (http://www.theregister.co.uk/content/archive/16454.html)