It seems that buffer overflow is inherent in applications written in unmanaged code. A recent article Unpatched Firefox 1.5 exploit made public on ZDNet suggests that even the most popular applications these days are far from being immune to this problem.
Buffer overflow has been a major security risk to all the unmanaged code. Almost all the recent windows security patches are related to buffer overflow and related problems. And unless a very rigorous code review process is adopted, almost all code written in unmanaged code (e.g. C, C++) is subject to such risk. Applications written in managed code (e.g. Java, .Net), on the other hand are much more secure because as long as the underlying runtime is secure, the applications would be inherently immune to such risk. And this is possible since the common runtime environment can be coded by a group of elite programmers and contains only a relatively small footprint.
Theres no doubt that most modern business applications are taking advantage of managed code, and it is not surprising to see that the majority of the security-conscious business applications are written in either Java or .Net. Microsofts next major operating system Windows Vista is betting on such a trend by integrating the managed environment far deeper into the operating system core. This does not mean that the unmanaged environment will disappear however, as most of the performance critical applications (e.g. a small portion of the business applications and the majority of games) would be mostly likely written in native code such as C or C++. It would be interesting to see how these two groups of programmers would evolve over the time.
