Over the past few years, buffer-overflow attacks have become a major security threat to both the Windows and UNIX segments of the IT world. The System Administration, Networking, and Security (SANS) Institute lists buffer-overflow attacks in its article "The Twenty Most Critical Internet Security Vulnerabilities" (http://www.sans.org/top20.htm).
Buffer-overflow attacks are nothing new. The first buffer-overflow attack that infected thousands of Internet-connected machines was the infamous Internet worm released in 1988. That attack exploited a buffer overflow in the finger program and used the overflow to gain access to VAX machines that were running BSD UNIX. The first buffer-overflow vulnerability that hit Microsoft software (Microsoft Internet Information Server—IIS—4.0) was the Malformed HTR Request vulnerability that eEye Digital Security discovered in 1999. To find out more this vulnerability and how to protect against it, see the Microsoft Security Bulletin MS99-019 ("Patch Available for 'Malformed HRT Request' Vulnerability") at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms99-019.asp. Although Web servers such as IIS are a favorite buffer-overflow attack target, intruders can launch attacks against any type of application. . . .
