Joined: 14 Oct 2017
|Posted: Wed Nov 29, 2017 1:39 pm Post subject: CComBSTR Issues !
We sell terminal emulation and FTP client software to banks. These programs use SSL and SSH DLLs to do the encryption, and must be passed a password, which is done using a CComBSTR.
The bank sent us an email indicating they saw clear text passwords in memory 10 minutes after the user logged in. We looked into this and cleaned up our own code, but we can still see a BSTR with the clear text password in memory, sometimes.
We talked to our supplier and they made some changes which reduced the chance of seeing a clear text password in memory, but they said they can't do anything about the CComBSTR issue.
I didn't find the right solution from the Internet.
whiteboard video examples