A Microsoft engineer revealed in a presentation a few days ago that 70% of the patches Microsoft issues each year are related to memory safety issues.
ZDNet has a good write-up on the story:
"Memory safety bugs happen when software, accidentally or intentionally, accesses system memory in a way that exceeds its allocated size and memory addresses.
Users who often read vulnerability reports come across terms over and over again. Terms like buffer overflow, race condition, page fault, null pointer, stack exhaustion, heap exhaustion/corruption, use after free, or double free—all describe memory safety vulnerabilities."
Why is this happening? According to the article:
"The reason for this high percentage is because Windows has been written mostly in C and C++, two 'memory-unsafe' programming languages that allow developers fine-grained control of the memory addresses where their code can be executed. One slip-up in the developers' memory management code can lead to a slew of memory safety errors that attackers can exploit with dangerous and intrusive consequences—such as remote code execution or elevation of privilege flaws."