T 4.22 Software vulnerabilities or errors

The following applies to every piece of software: the more complex it is, the more frequently programming errors will occur. Software vulnerabilities are understood to refer to unintentional programme errors that are as of yet unknown to the user and constitute a security risk to the IT system. New security loopholes are constantly being found in existing software, including widely used and brand new software.

Software errors or vulnerabilities may be cause by a multitude of reasons. This includes, for example, communication errors between customers and developers, insufficient training of the programmers, or insufficient testing. Expectations that are too high on the part of the user together with tight release deadlines for standard software can also lead to the manufacturer offering a product before it is ready and that contains errors.

If software errors are not detected, the errors resulting from the use of the software can have serious consequences. In case of common standard software, software vulnerabilities may rapidly result in global emerging of serious security problems for any type of institution.

Examples:

• A software error in the RACF security software of the z/OS operating system can mean that not only does RACF cease to operate, but that the entire system is now unable to function properly and needs to be restarted.
• The strength of the security functions implemented in standard software (such as passwords or encryption algorithms) is often overestimated by users. In many cases, these security functions cannot provide protection against a prolonged attack carried out by someone with the right knowledge. This applies, for example, to the encryption functions integrated into a number of word processing programmes. The Internet provides numerous tools to overcome the encryption available in almost all word processing programmes.
• It has been shown that the appearance of a certain word while running the spelling check in a certain word processing programme will always cause the programme to crash.
• Standard software often contains undocumented functions such as "Easter eggs" or "gag screens" that the product developers program to leave their own mark. This has the effect of consuming additional IT resources while making it clear at the same time that the full functionality of the product cannot be checked down to the last detail in the software test.
• Most of the warnings from Computer Emergency Response Teams in the last few years have been related to security-relevant programming errors. These are errors that arise during software development and that make it possible for the software to be misused by attackers. Most of these errors were caused by buffer overflows. These are errors in routines used to read character strings in which a routine does not check if the length of the character string entered matches the length of the memory area reserved for it. This makes it possible for attackers to transmit an exceptionally long character string containing additional commands that are then stored past the memory area reserved for the entry and executed. These commands can be from any type of programme.
  A large number of warnings have also been due to denial of service (DoS) attacks, which can cause the entire computer to crash due to errors in individual routines used for processing network data.