The reason you hear a lot about errors using C is because it’s a language extremely popular, used in many important systems and libraries where some easy errors of cometor can be converted into vulnerabilities (access to vector out of Bounds, "dangling pointers", etc).
That being said, a vulnerability is anything an opponent can use against your system, which is something extremely broad and which can work with any system regardless of which language is used in its implementation.
A simple example that we can do is code injection vulnerabilities, such as SQL Injection. For example, suppose I have a web page in which the user enters the name of a country and the system responds with the number of goals that country scored in the world cup. If my data is in a relational database I will have to prepare a question for the database similar to the following:
pergunta = "SELECT gols FROM tabela_copa WHERE pais='Brasil';"
gols = bandoDeDados.executar(pergunta)
The naive way to pass the user-chosen country is to use string concatenation or interpolation:
pais = entrada_do_usuario()
pergunta = "SELECT gols FROM tabela_copa WHERE pais='" + pais + "';"
gols = bandoDeDados.executar(pergunta)
Now, what happens if the user type the following "country" in the search field?
'; DROP TABLE tabela_copa
The generated command will be
SELECT gols FROM tabela_copa WHERE pais='';
DROP TABLE tabela_copa;
And we will delete all our data from the database. Basically, we gave a loophole for the user to run SQL in our database on our behalf and the database, which trusts us, ran the commands blindly.
Running SQL code is not as direct a vulnerability as a buffer overflow defect, but it is still a form of privilege escalation and remote code execution. Similar code injection problems are also very common in other contexts:
- Improper handling of user data on HTML pages can lead to XSS (cross site scripting vulnerabilities).
- Servers evaluating user code data as code. For example, in PHP this can occur in regular expressions with the modifier /e
- Phreaking, a technique involving a series of precise whistles that the first hackers used to speak for free at the pay phone.
Well, someone can come now and say that these bugs are the fault of the programmer and not the language. But is it true? I’ve had enough of listening to people using this same argument to defend C ("if you never accessed vectors out of bounds, you wouldn’t have to worry about overflow") and it’s perfectly possible for the language or system to protect you from these vulnerabilities. For example, if we used separate data types for HTML and user strings it would not be possible to treat user values as HTML. The only way to pass a string to the HTML document is to first pass it through the escape function. Similarly, it is possible to avoid SQL injection if the data type used to describe SQL commands does not support concatenation operation.
As for the vulnerabilities of Java or Flash in the browser, the main problem is that these systems are large and will inevitably contain bugs, which will come to light when these systems have to deal with hostile entries from malicious users on the internet. For example, some versions of the flash plugin (implemented in C++) gave a stack overflow when trying to read certain corrupted swf files and some versions of JVM allowed malicious applets to scale their privileges and escape from the safe sandbox.
I would change a few things in the question. Bugs and vulnerabilities are different things. The way it’s written, it takes time to understand what the question is. And it still gives the impression of being something biased against C and only careful reading makes you realize that this is not quite it. And still there are not so many software like this that are made in C. There are many, but not so many. Even if you add those made in C++ that I think today surpass those developed in C. But this is a number kicked too.
– Maniero
I’m not going to answer because I couldn’t find a way without giving my opinion. Summarizing C actually facilitates some vulnerabilities that many other languages hinder although there are tools and techniques to avoid them. Java is always among the biggest vectors of vulnerabilities in computers, only other types. Certain security issues cannot be solved with a virtual machine and certain language restrictions. On the other hand much that runs with Java is written in C++ and can even delegate part of the blame to it, but the result and the culprit in the end is the same.
– Maniero
Javascript running in one browser has much smaller problems but there are risks. The problems are smaller because of the browser limiting access to the computer. Of course, more modern and more restrictive languages help to avoid vulnerabilities, but there are so many possible ways that you cannot guarantee security in any technology. Nor apps mobile in those Stores are free of this, they just go through a process that helps avoid publishing with vulnerabilities. Anyway, the subject is complex and also I will not be able to summarize in comments. I hope for someone to respond nice.
– Maniero
@Maniero Are bugs and vulnerabilities different things? So I’ve been reading both terms are in part interchangeable, although bug is represented as a strange behavior in the program and vulnerability a flaw in the logic of the program that allows arbitrary code execution or malicious exploitation. But I think the two terms are actually very close. It is not possible to use a bug for malicious purposes?
– Sid
@Maniiero Yes, the "security" factor in C is a separate discussion and it even involves personal opinion. But, trying to be as impartial as possible, I say that C is so "fragile" precisely because it is practically a readable "Assembly". It is a raw and resource-free language seen in high-level languages precisely because it was made to work with programming at the lowest possible level with good features. And by those and others he is so fast. I think they would never be able to add a new Feature in C without a considerable overhead.
– Sid
@Maniero And I say that C is at least 98% of the software running on our computers because C is a fundamental language. It is even through it that high-level languages that both accelerate our productivity are implemented! Including JVM and CLR (from .NET) are written in C/C++! And Python, Ruby and other interpreters are also implemented in C.
– Sid
You are reading in bad places or misinterpreting it. You just said yourself that they are different things in your definition. Just read carefully what you wrote. Not every bug is a vulnerability and a vulnerability can occur by other means. A program resulting in "2" and should result in "3" is a bug. What malicious code can be executed because of this? The question of C is much more complex than this, so I preferred not to answer. In order not to stay in the achism I would have to write a book chapter. I’m not saying I can’t be answered objectively by another.
– Maniero
So I think it’s appropriate to edit the title of the question.
– Sid
C is one thing C++ is another. C++ is less prone to bugs and vulnerabilities than C, at least if used in the recommended way. And if you go into the various layers of a software it becomes more complicated. I still have another view on the intense use of C and not think up to 98% even if C++. As I have no data, I cannot say.
– Maniero
I actually think it would be more appropriate to say "C-like language family" or "C/C++". But in general specify C also specifies C++.
– Sid
@Sid bug is a problem "created" by the programmer, vulnerability refers to something the programmer was not at fault.
– rochasdv
Programming correctly does not require you to be a genius: Put Yourself Out There: The Myth of the Genius Programmer
– lsalamon
I didn’t read the comments, so I might be repeating what someone said. But it is possible to write code vulnerable with other languages (even interpreted languages). People are always trapped in buffer overflow, and vulnerabilities of memory corruption can be exploited in other ways. But it is also possible to generate buffer overflow in java, in some more specific passwords. When I get home, I’ll formulate a more complete answer that will give you a better north on this!!
– Ighor Augusto