/cdn.vox-cdn.com/uploads/chorus_asset/file/24016885/STK093_Google_04.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24808816/Starfield__The_Settled_Systems___Supra_Et_Ultra_____Starfield__The_Settled_Systems___Supra_Et_Ultra_2023_7_25_94252.263_1440p_streamshot.png)
Miter Corporation released its annual list of the most dangerous software flaws for 2023, and there is no change in the top spot.
The US non-profit organization has been analyzing public vulnerability data found in the National Vulnerability Database (NVD) for the past two years for root cause mapping of CVE vulnerabilities. During that time, the organization analyzed approximately 44,000 CVEs.
As per the analysis, out-of-bounds write flaw is the most dangerous software vulnerability for the year (as it was for the year 2022). This is a type of software fault that sees a program writing outside the bounds of an allocated area of memory. As a result, the endpoint may crash, or it may execute arbitrary code. Threat actors commonly abuse this flaw by writing data larger than the size of the allocated memory region, or by writing data to an incorrect location within the memory region.
Prevention of out-of-bounds write faults usually involves careful validation of all inputs to ensure that they are within the expected range.
Other major software vulnerabilities include cross-site scripting (XSS), SQL injection, use after free, OS command injection, improper input validation, out-of-bounds reading, path traversal, cross-site request forgery (CSRF), and unrestricted file access. Uploads included. with the dangerous type. The biggest change from last year is the exclusion of the improper restriction of XML external entity references, which is no longer considered to be in the top 25 most dangerous flaws.
Analysis: Why does it matter?
Such software flaws can be exploited by threat actors for all kinds of cyber attacks. They can be used to steal sensitive data, take over vulnerable endpoints, commit identity theft, wire fraud, and more. For example, cybersecurity researchers Francisco Falcon and Ivan Arce discovered the out-of-bounds read (CVE-2023-1017) and out-of-bounds write (CVE-2023-1018) vulnerabilities. TPM 2.0In early March 2023. At the time, it was said that the vulnerabilities could cause major problems for “billions” of vulnerable devices.
CERT warned about the flaws at the time, saying “an attacker who has access to the TPM-command interface could send maliciously crafted commands to the module and trigger these vulnerabilities.” “This allows either read-only access to sensitive data or the overwriting of normally protected data that is only accessible to the TPM (for example, cryptographic keys).”
A month later, in early April, Apple reportedly fixed a problem IOSurface writes vulnerability out of bounds That allowed threat actors to corrupt data, crash apps and devices, and remotely execute code. Worst case – a threat actor can push a malicious app allowing them to execute arbitrary code with kernel privileges on the target endpoint. This app was used in the wild, Apple confirmed.
Popular instant messaging platform Telegram was also not immune to out-of-bounds writing flaws, as in 2021, a security researcher discovered one such zero-day in a batch of 13 vulnerabilities.
Earlier this month, the Cyber Security and Infrastructure Security Agency (CISA), and the US National Security Agency (NSA) introduced a set of tips and best practices that organizations can use in their continuous integration/continuous delivery (CI/CD) can do to protect the environment. Hacker News also reported. According to the recommendations, businesses should implement strong cryptographic algorithms in their cloud app configurations, reduce the use of long-term credentials, and secure code signing. In addition, says CISA, businesses should use the two-person rule and adopt the principle of least privilege when reviewing developer code commitments.
Both organizations stressed, “By implementing the proposed mitigations, organizations can reduce the number of exploit vectors in their CI/CD environments and create a more challenging environment for adversaries.”
What have others said about it?
“MITRE’s top 25 vulnerabilities of 2023 are alarming due to their significant impact and widespread occurrence in software released in the last two years,” says bleepingcomputer in its writing. “By sharing this list, MITER provides the broader community with valuable information about the most critical software security vulnerabilities that require immediate attention.”
registerHis report, on the other hand, was traditionally more cynical, stating, “cough, cough, use rust.”
According to MITER this week, “The most dangerous type of software bug is the out-of-bounds write. This type of flaw is responsible for 70 CVE-tagged flaws on the US government’s list of known vulnerabilities that are under active attack and need to be fixed. Two consecutive years indicate a “clear lack of improvement”.
Users were somewhat less vocal on social media, while the news flew under the radar on Reddit. Twitter One user said: “First rule of programming… Don’t build your software on frameworks like DotNet, Java, React, Node, JQuery or any other… Second rule of programming… Always use the API of the native operating system.” Use WIN32!”
go deeper
If you want to learn more about staying safe online, start by reading our guide to the best antivirus programs and our guide to the best firewalls right now. You should also check out what 2FA is, as well as our guide on the best ID theft protection solutions right now.
Via: The Hacker News
