Organizations developing software have been urged by the FBI and Cybersecurity and Infrastructure Security Agency to eradicate buffer overflow vulnerabilities by implementing secure-by-design principles, The Register reports.
Such "unforgivable" memory safety issues, which have been observed in Microsoft, Ivanti, and VMware vCenter instances, could be circumvented with the utilization of safe and up-to-date coding languages, including Go, Rust, and Swift, according to the joint FBI and CISA advisory, which noted Chinese cyberattacks leveraging such a vulnerability in the Linux kernel, tracked as CVE-2022-0185. Software development firms were recommended to not only adopt compiler flags and unit tests with AddressSanitizer and MemorySanitizer but also implement static analysis, manual evaluations, fuzzing, and analysis of previously discovered software issues. "CISA and FBI maintain that the use of unsafe software development practices that allow the persistence of buffer overflow vulnerabilities — especially the use of memory-unsafe programming languages — poses unacceptable risk to our national and economic security," said the agencies.
