T 4.8 Discovery of software vulnerabilities

Software vulnerabilities should be understood as unintentional program errors not yet known to the user, and constitute a security risk for the IT system. New security weaknesses are repeatedly found in existing (including widely-used) or completely new software.

Examples:

Two examples of the vulnerability of software encountered in Unix applications are:

• a sendmail bug which enabled any user to execute programmes and modify files by using the sendmail UID and GID; and

• the gets routine. This was used by the fingerd program to read a line, without a check of the boundaries of variables being made. Thus, by means of an overflow it was possible to modify the stack in such a way that a new shell could be started