This is an overstatement, definitely. C is one of the few (mainstream) languages where memory safety vulnerabilities are even possible. So if you batch C and C++ together, they probably cover more than 90% of all the memory unsafe cove written in last 50 years, which is a strong implication that they will contribute to 90% of memory vulnerabilities.
All that said, memory vulnerabilities are about 65% of all high implact vulnerabilities on Chromium project[1] and about 70% of vulnerabilities at Microsoft [2].
Yeah… That’s a shit post alright.
I’m not a C developer myself, but that’s just a low blow. Also, uncited ;).
Yeah the only way it would be that high is if it lumps C and C++ together. But at that point it may be an underestimate.
This is an overstatement, definitely. C is one of the few (mainstream) languages where memory safety vulnerabilities are even possible. So if you batch C and C++ together, they probably cover more than 90% of all the memory unsafe cove written in last 50 years, which is a strong implication that they will contribute to 90% of memory vulnerabilities.
All that said, memory vulnerabilities are about 65% of all high implact vulnerabilities on Chromium project[1] and about 70% of vulnerabilities at Microsoft [2].
https://www.chromium.org/Home/chromium-security/memory-safety/ ↩︎
https://github.com/microsoft/MSRC-Security-Research/blob/master/presentations/2019_02_BlueHatIL/2019_02 - BlueHatIL - Trends%2C challenge%2C and shifts in software vulnerability mitigation.pdf ↩︎
So we’d only fix 70% of vulnerabilities by switching to rust? Not enough! Better keep writing C/C++!