Buffer overfl ows are a common security attack vector. They are diffi cult to guard against
without an endpoint security product such as Cisco Security Agent. It ’ s important to know
what a buffer overfl ow is and why an endpoint protection product can thwart the attack.
A buffer overfl ow attack can take place when an application does not properly control
all the input that is provided. That is, there can be too much input, embedded commands, or
improper formats or encoding. All of these conditions have the capability to cause a buffer
overfl ow within the application. That means the memory space allocated to the application
has been overrun. Why is this a problem? If the memory space that is allocated is overrun,
you may intrude upon space used by the operating system. And that is precisely what the
attacker is hoping to do.
If the attacker can cause the overfl ow, then they may be able to drop into a command
shell and, more often than not, have administrator (on a Windows box) or root (on a Unix
box) privileges. Once that happens, the attacker can do almost anything they want. Some
people like to refer to this situation as “ game over. ”
While this section is about buffer overfl ows, the following types of attacks can also give
an attacker administrator or root privileges. Therefore, they also need to be considered:
■ Worm attacks
■ Virus attacks
■ Trojan horses
These attacks differ from buffer overfl ows in how they act and how they are delivered.
Some are delivered via email in the form of attachments. If the user opens the attachment,
the attacking program can gain access. Some are also delivered in an URL embedded in
email. If the user visits the URL with a browser, the host can be exploited. Still others are