Mostly because of C and C++
More than 70 percent of Microsoft patches are for memory safety bugs.
Speaking to the assembled throngs at an Israel Security conference, a Microsoft engineer Matt Miller said that memory safety bugs happen when software, accidentally or intentionally, accesses system memory in a way that exceeds its allocated size and memory addresses.
He said that over the the last 12 years, around 70 percent of all Microsoft patches were fixes for memory safety bugs.
The reason for this high percentage is because Windows has been written mostly in C and C++, two "memory-unsafe" programming languages that allow developers fine-grained control of the memory addresses where their code can be executed.
One slip-up in the developers' memory management code can lead to a slew of memory safety errors that attackers can exploit with dangerous and intrusive consequences --such as remote code execution or elevation of privilege flaws.
Memory safety errors are today's biggest attack surface for hackers, and attackers appear to be capitalising on their availability.
Vole has patched most of the basic memory safety bugs, but attackers and bug hunters have also stepped up their game, moving from basic memory errors that spew code into adjacent memory to more complex exploits that run code at desired memory addresses, ideal for targeting others apps and processes running on the system.