|
|
In the middle of the year 2000, a new attack technique was discovered. It is called a "format string" error. It comes from a feature of the C/C++ programming language whereby a "template" string is used to format output. Example format string template would be for formatting the time, currancy, scientific numbers, and so forth. However, a consistent flaw has been found in lots of code. Programmers have been lazy and simply passed some input string directly as the format string. Knowing this, hackers can break into systems by carefully crafting input with special formatting codes. These formatting codes will overwrite memory in a fashion similar to $../buffer overflow$buffer overflows$.
|
