https://www.theregister.co.uk/2018/04/04/microsoft_windows_defender_rar_bug/
A remote-code execution vulnerability in Windows Defender – a flaw that can be exploited by malicious .rar files to run malware on PCs – has been traced back to an open-source archiving tool Microsoft adopted for its own use.
[...] Apparently, Microsoft forked that version of unrar and incorporated the component into its operating system's antivirus engine. That forked code was then modified so that all signed integer variables were converted to unsigned variables, causing knock-on problems with mathematical comparisons. This in turn left the software vulnerable to memory corruption errors, which can crash the antivirus package or allow malicious code to potentially execute.
(Score: 2) by tangomargarine on Tuesday April 10 2018, @04:19PM (1 child)
Doesn't the compiler spit out a warning on this, though? If you're blanket-suppressing warnings in C++ you kind of deserve what you get.
My previous job involved C++ work and I'll be the first to admit that what the compiler tells you can be pretty misleading. But at least you know there's *some* problem.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Tuesday April 10 2018, @04:51PM
Yes, compilers started to spit out warnings for this specific problem exactly because it is a problem (I have no idea if all of them do).
Actually, many compiler warnings are actually pointing out design flaws of the language. If the language were properly designed, you'd not need the warning.