IT Baseline Protection Manual T 4.22 Software vulnerabilities or errors
T 4.22 Software vulnerabilities or errors
The same applies to standard software as for all other software: the more complex it is, the more frequently errors occur. It should be noted that high expectations of the user and standard software appearing in too short intervals can also lead to the manufacturer publishing its product before it is ready and free of errors. If these software errors are not detected, the errors resulting from the use of the software can have serious consequences.
Examples:
The strength of the security functions in the standard software (such as passwords or encryption algorithms) is frequently overestimated by the user. These security functions can often not permanently withstand a well-planned attack. For example, this applies to the encryption functions which are integrated into a number of word processing programs. For almost all of them, the Internet provides numerous tools to overcome this encryption.
The appearance of a certain word in the spell-check of a word-processing program consistently caused a crash.
Standard software often contains undocumented functions, such as so-called "gagscreens", features that the product developer leaves behind for posterity. On the one hand, this uses up additional IT resources and on the other hand this points out that the entire functionality of the product cannot be settled down to the last detail.
Most of the warning messages from the Computer Emergency Response Teams in the last few years have been concerned with security-relevant programming errors. These are errors which introduced during software development and make it possible for the software to be misused by perpetrators. Most of these errors were caused by buffer overflows. These are errors in which a routine for reading characters does not check whether the length of the character string entered corresponds with the length of the memory area. This makes it possible for perpetrators to transmit an exceptionally long character sequence, so that additional commands are stored behind the memory area reserved for the entry and are executed. These commands can, for example, be programs.
A large number of other warning messages have been caused by denial-of-service attacks (DoS), which can cause the computer to crash through errors in individual routines which are used for network data processing (see, for example, CERT Advisory 97.28 on IP Denial of Service Attacks: Teardrop and Land-Attack
