These are the most dangerous software security flaws of the year – are you at risk?
The Mitre Corporation released its annual list of the most dangerous software flaws for 2023, and there’s been no change at the top spot.
The American not-for-profit organization has been analyzing public vulnerability data found in the National Vulnerability Database (NVD) for root cause mappings to CVE weaknesses for the past two years. During that time, the organization analyzed almost 44,000 CVEs.
As per the analysis, out-of-bounds write flaw is the most dangerous software vulnerability for the year (as was for the year 2022). This is a type of software flaw that sees a program write outside the bounds of an allocated area of memory. As a result, the endpoint might crash, or execute arbitrary code. Threat actors usually abuse this flaw by writing data that’s larger in size than the size of the allocated memory area, or by writing the data to an incorrect location within the memory area.
The prevention of out-of-bounds write flaws usually includes careful validation of all inputs, to make sure they’re within the expected range.
Other major software vulnerabilities include cross-site scripting (XSS), SQL injection, use after free, OS command injection, improper input validation, out of bounds read, path traversal, cross-site request forgery (CSRF), and unrestricted upload of file with dangerous type. The biggest change, compared to last year, is the exclusion of improper restriction of XML external entity reference, which is no longer considered among the top 25 most dangerous flaws.
Analysis: Why does it matter?
Software flaws such as these ones can be leveraged by threat actors for all kinds of cyberattacks. They can be used to steal sensitive data, take over vulnerable endpoints, engage in identity theft, wire fraud, and more. For example, cybersecurity researchers Francisco Falcon and Ivan Arce discovered out-of-bounds read (CVE-2023-1017) and out-of-bounds write (CVE-2023-1018) vulnerabilities in TPM 2.0, in early March 2023. Back then, it was said that the vulnerabilities could mean major trouble for “billions” of vulnerable devices.
“An attacker who has access to a TPM-command interface can send maliciously-crafted commands to the module and trigger these vulnerabilities,” CERT warned about the flaws at the time. “This allows either read-only access to sensitive data or overwriting of normally protected data that is only available to the TPM (e.g., cryptographic keys).”
A month later, in early April, Apple reportedly fixed an IOSurface out-of-bounds write vulnerability that allowed threat actors to corrupt data, crash apps, and devices, and remotely execute code. Worst case scenario – a threat actor could push a malicious app allowing them to execute arbitrary code with kernel privileges on the target endpoint. This app was used in the wild, Apple confirmed.
Popular instant messaging platform Telegram also wasn’t immune to out-of-bounds write flaws, as back in 2021, a security researcher discovered one such zero-day in a batch of 13 vulnerabilities.
Earlier this month, the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. National Security Agency (NSA) pushed a set of tips and best practices organizations can use to secure their Continuous Integration/Continuous Delivery (CI/CD) environments, The Hacker News also reported. As per the recommendations, businesses should implement strong cryptographic algorithms in their cloud app configurations, minimize the use of long-term credentials, and go for secure code signing. Furthermore, CISA states, businesses should utilize two-person rules when reviewing developer code commits, and adopt the principle of least privilege.
“By implementing the proposed mitigations, organizations can reduce the number of exploitation vectors into their CI/CD environments and create a challenging environment for the adversary to penetrate,” the two organizations stressed.
What have others said about it?
“MITRE’s 2023 top 25 weaknesses are dangerous due to their significant impact and widespread occurrence in software released over the past two years,” says BleepingComputer in its writeup. “By sharing this list, MITRE provides the broader community with valuable information regarding the most critical software security weaknesses that require immediate attention.”
The Register, on the other hand, was traditionally more cynical in its report, stating “Cough, cough, use Rust.”
“The most dangerous type of software bug is the out-of-bounds write, according to MITRE this week. This type of flaw is responsible for 70 CVE-tagged holes in the US government’s list of known vulnerabilities that are under active attack and need to be patched,” it added, also stating that the fact that the same vulnerability is in the top spot for two years in a row signals a “distinct lack of improvement.”
Users on social media were somewhat less vocal, with the news flying under the radar on Reddit, while on Twitter one user stated: “First rule of programming…Don’t build your software on frameworks e.g. DotNet, Java, React, Node, JQuery or any other… Second rule of programming…Always use the native operating system’s API e.g. WIN32!”
Go deeper
If you want to learn more about staying safe online, start by reading our guide on the best antivirus programs, and our guide on the best firewalls right now. You should also check out what is 2FA, as well as our guide on the best ID theft protection solutions at the moment.
Via: The Hacker News
The Mitre Corporation released its annual list of the most dangerous software flaws for 2023, and there’s been no change at the top spot. The American not-for-profit organization has been analyzing public vulnerability data found in the National Vulnerability Database (NVD) for root cause mappings to CVE weaknesses for the…
Recent Posts
- Bitcoin just hit $100,000
- ChatGPT search can’t find the real news, even with a publisher holding its hand
- Quordle today – hints and answers for Thursday, December 5 (game #1046)
- Humane wants to put the AI Pin’s software inside your phone, car, and smart speaker
- NYT Strands today — hints, answers and spangram for Thursday, December 5 (game #277)
Archives
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- July 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- September 2018
- October 2017
- December 2011