- Apple's iPad 10th Gen is $53 off at Amazon as part of a new deal - but there's a catch
- Forget Ring - Arlo's flagship battery-powered security camera is still on sale for $120
- These might be one of my favorite exercise earbuds -- and they're still on sale
- My Dyson Airwrap has replaced all my styling tools, and it's still on sale for close to its lowest price ever
- What is DeepSeek AI? Is it safe? Here's everything you need to know
CISA and FBI Warn Against Buffer Overflow Vulnerabilities
A new alert from the US Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) has outlined strategies to eliminate buffer overflow vulnerabilities in software.
Part of the Secure by Design Alert series, the report published on Wednesday emphasizes using memory-safe programming languages and other secure development practices to prevent these defects, which are commonly exploited by malicious actors.
Buffer overflow vulnerabilities occur when software improperly accesses memory, leading to risks such as data corruption, crashes and unauthorized code execution. Threat actors exploit these flaws to infiltrate networks, often using them as an entry point for broader attacks.
Key Recommendations
CISA and FBI urged software manufacturers to adopt the following strategies:
- Use memory-safe programming languages, such as Rust, for new code
- Implement compiler protections, like runtime checks and canaries
- Perform adversarial testing with static analysis and fuzzing
- Publish roadmaps for transitioning legacy code to memory-safe alternatives
Saeed Abbasi, manager of vulnerability research at Qualys Threat Research Unit (TRU), highlighted the urgent need to eliminate unsafe practices.
“Legacy excuses are out; the world has zero tolerance for memory-unsafe code in 2025. Yes, rewriting old systems is daunting, but letting attackers exploit decades-old buffer overflows is worse […],” Abbasi explained. “Buffer overflows aren’t an inevitability; they’re a failure of priorities.”
Secure by Design Principles
The report also emphasized three core principles for secure software development:
- Ownership of Security Outcomes: Manufacturers must eliminate vulnerabilities proactively, reducing reliance on patches and updates
- Transparency: Vendors should disclose vulnerabilities clearly and maintain robust incident response protocols
- Strategic Leadership: Executives must demand memory-safe transitions and prioritize long-term security investments
Abbasi criticized organizations for clinging to unsafe programming languages, noting that they “risk turning minor vulnerabilities into massive breaches – and they can’t claim surprise.” He called for collective action, urging leadership to demand memory-safe practices and buyers to hold vendors accountable.
The alert also highlights successful transitions by Google, Microsoft, and Mozilla to memory-safe languages, demonstrating that these changes are feasible and cost-effective.
CISA and FBI encouraged manufacturers and customers to take the Secure by Design Pledge and prioritize products that embed security from the outset.
