Don't catch it!
Dot your i's, cross your t's - but don't catch your exceptions. That's what is recommended if you are coding for Windows Vista.
Well, not exactly. There is an extremely interesting post on the recent ANI cursor handling security vulnerability here. It has a new take on catching exceptions. Catching an exception from a vulnerable snippet of code may nullify the protection provided by Vista's address space randomization, since the hacker may repeatedly try different input values without the process exiting.
Really interesting. The real question is.. how much attention do we really need to pay to this? Where do we draw the line between reliable code (one that catches exceptions) and secure code (one that doesn't). Is it too early to be worrying about this? I wonder.
Post a Comment