On Tuesday, 16 May 2017 at 15:19:54 UTC, Walter Bright wrote:
On 5/5/2017 11:26 PM, Joakim wrote:
Walter: I believe memory safety will kill C.
I can't find any definitive explanation of what the Wannacry
exploit is. One person told me it was an overflow bug, another
that it was truncation from converting 32 to 16 bits.
Anyhow, the Wannacry disaster looks to be a very expensive
lesson in using memory unsafe languages for critical software.
I know Microsoft has worked for years to use their own C which
is memory safer, apparently it is not enough.
https://blogs.msdn.microsoft.com/martynl/2005/10/10/annotations-yet-more-help-finding-buffer-overflows/
I happened to be reading this blog post concerning the issue
today:
https://www.troyhunt.com/dont-tell-people-to-turn-off-windows-update-just-dont/
It links to this official MS page from a couple months ago, which
lists several CVE entries, which explicitly say they're different
exploits:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Googling for that security update turns up this script, which
claims a buffer overflow, but that could be just one of the holes:
https://github.com/RiskSense-Ops/MS17-010/blob/master/exploits/eternalblue/ms17_010_eternalblue.rb
I don't believe MS has disclosed the exact exploits, so it would
depend on someone reversing the updates and since there are so
many, they're likely different types.
For those like Scott who say C has survived this long, I say it
isn't unprecedented for tech with fairly well-known design flaws
to last much longer than it should, until a crisis springing from
those flaws finally kills it off. People usually ignore the
potential problems until it blows up in front of their face.
I agree that this current constant security crisis, now that
everything's on the internet, will kill off a lot of old tech,
including C. It is one of the reasons IoT is currently
stillborn. It is the biggest flaw in Android, where you're
selling a billion+ mobile devices a year, and almost none of them
get any security updates:
https://arstechnica.com/gadgets/2017/05/op-ed-google-should-take-full-control-of-androids-security-updates/
It will get a lot worse before it gets better, because it has
been neglected for so long. :|
