Microsoft Security Response Center (MSRC) has listed all specific Microsoft security vulnerabilities from 2004. About 70% of all the Microsoft annual patches are fixing for memory security vulnerabilities.
▲ Around 70% of Microsoft’s vulnerabilities are due to memory security issue every year.
Until now, most of the Windows and other product which are part of Microsoft are primarily based on C and C++. Both of these programmings are very “memory-unsafe”. However, they allow developers to code fine-grain control on memory addresses and execute them. Even a single vulnerability in the developer code that manages memory execution can use to insert serious and intrusive consequences. Moreover, it can also lead remote code execution or elevation of privilege.
This leads developers to look for a memory-safe language such as Rust. In the near future, it can easily become an alternative to creae more secure Microsoft applications.
Rust was a brainchild of Mozilla and was made to create a safer and faster Firefox browser. The Brave browser has already replaced the programming language of its ad-blocking component initially written in C++ with the Rust version. According to the StackOverflow Developer Survey 2019, Rust is the most popular programming language for developers from the last four consecutive years. The reason behind Rust popularity is because its syntax is more straightforward and there are fewer application bugs in Rust. This allows developers to focus on extending their applications instead of ongoing maintenance.
MSRC’s chief security engineering manager Gavin Thomas also suggested that other third-party developers should also have a look at Rust as a memory-safe language. He also stated that developers are putting the time and effort to learn how to debug memory-related security vulnerabilities in C++ applications. However, this is not the job developers should focus on; their core job is to functional development. Thomas also said, “Why didn’t you introduce memory security issues into the development language in the first place?”.
In the end, he appealed: “If the industry really cares about security, it should focus on the tools of developers, and should not be fooled by all security devices and outdated methods. We must first try to prevent developers from getting into defects, rather than providing solutions. Guidance and tools for defects.”