www.theregister.com
Open in
urlscan Pro
104.18.4.22
Public Scan
URL:
https://www.theregister.com/2023/06/29/cwe_top_25_2023/
Submission: On June 30 via api from TR — Scanned from DE
Submission: On June 30 via api from TR — Scanned from DE
Form analysis 2 forms found in the DOM
POST /CBW/custom
<form id="RegCTBWFAC" action="/CBW/custom" class="show_regcf_custom" method="POST">
<h5>Manage Cookie Preferences</h5>
<ul>
<li>
<label>
<input type="checkbox" disabled="disabled" checked="checked" name="necessary" value="necessary">
<strong>Necessary</strong>. <strong>Always active</strong>
</label>
<label for="accordion_necessary" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg" class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_necessary">
<p class="accordion_info"> These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect. </p>
</div>
</li>
<li>
<label>
<input type="checkbox" name="tailored_ads" value="tailored_ads">
<strong>Tailored Advertising</strong>. </label>
<label for="accordion_advertising_tailored_ads" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg"
class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_advertising_tailored_ads">
<p class="accordion_info"> These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers,
and in some cases selecting advertisements that are based on your interests. </p>
</div>
</li>
<li>
<label>
<input type="checkbox" name="analytics" value="analytics">
<strong>Analytics</strong>. </label>
<label for="accordion_analytics" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg" class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_analytics">
<p class="accordion_info"> These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our
sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance. </p>
</div>
</li>
</ul> See also our <a href="https://www.theregister.com/Profile/cookies/">Cookie policy</a> and <a href="https://www.theregister.com/Profile/privacy/">Privacy policy</a>. <input type="submit" value="Accept Selected" class="reg_btn_primary"
name="accept" id="RegCTBWFBAC">
</form>POST /CBW/all
<form id="RegCTBWFAA" action="/CBW/all" method="POST" class="hide_regcf_custom">
<input type="submit" value="Accept All Cookies" name="accept" class="reg_btn_primary" id="RegCTBWFBAA">
</form>Text Content
Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”. REVIEW AND MANAGE YOUR CONSENT Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer. MANAGE COOKIE PREFERENCES * Necessary. Always active Read more These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect. * Tailored Advertising. Read more These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests. * Analytics. Read more These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance. See also our Cookie policy and Privacy policy. Customize Settings Sign in / up TOPICS Security SECURITY All SecurityCyber-crimePatchesResearchCSO (X) Off-Prem OFF-PREM All Off-PremEdge + IoTChannelPaaS + IaaSSaaS (X) On-Prem ON-PREM All On-PremSystemsStorageNetworksHPCPersonal Tech (X) Software SOFTWARE All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization (X) Offbeat OFFBEAT All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us (X) Special Features SPECIAL FEATURES All Special Features Sysadmin Month The Reg in Space Emerging Clean Energy Tech Week Spotlight on RSA Energy Efficient Datacenters VENDOR VOICE Vendor Voice VENDOR VOICE All Vendor VoiceAmazon Web Services (AWS) Business TransformationDDNGoogle Cloud for StartupsHewlett Packard EnterpriseIntel vPro (X) Resources RESOURCES Whitepapers Webinars & Events Newsletters RESEARCH 3 IT'S 2023 AND MEMORY OVERWRITE BUGS ARE NOT JUST A THING, THEY'RE STILL NUMBER ONE 3 COUGH, COUGH, USE RUST. PLUS: EIGHT MORE EXPLOITED BUGS ADDED TO CISA'S MUST-PATCH LIST Jessica Lyons Hardcastle Thu 29 Jun 2023 // 20:24 UTC The most dangerous type of software bug is the out-of-bounds write, according to MITRE this week. This type of flaw is responsible for 70 CVE-tagged holes in the US government's list of known vulnerabilities that are under active attack and need to be patched, we note. Out-of-bounds write, sometimes labeled CWE-787, also took the top spot in 2022, showing a distinct lack of improvement. An out-of-bounds write happens when software (and sometimes hardware) alters memory it's not supposed to, such as by writing data to a memory buffer and overshooting the end of that buffer, causing it to unexpectedly change other variables and information and/or just crash. That kind of bug can be triggered accidentally through normal operation, or it can be triggered deliberately by exploit code. Typically, exploit code will induce an out-of-bounds write to alter data structures so that the flow of execution is hijacked and diverted in a way the attacker chooses, allowing them to take control of the software, be it an application, a remote service, or part of an operating system. Ideally, software should be written to prevent this kind of overwrite, and using memory-safe languages like Rust can help here. Number two on MITRE's list is the less complex but still annoying cross-site scripting bug (CWE-79), which was key in four CVEs in the known exploited vulnerabilities catalog maintained by Uncle Sam's CISA. This bug type is a fancy form of a failure to sanitize user input. Number three — SQL injection flaws (CWE-89) — account for four known exploited bugs in the CISA catalog. Again, another form of input sanitization failure. Clean and neutralize your inputs, people. You can't assume all your users are nice. MITRE compiles the annual CWE Top 25 list by analyzing public vulnerability data in America's National Vulnerability Database. This year's list is based on 43,996 CVE records for vulnerabilities in 2021 and 2022, and was issued in hand with US Homeland Security and CISA. "These weaknesses lead to serious vulnerabilities in software," the cybersecurity agency warned today. "An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working." In fact, the top three most dangerous software weaknesses for 2023 were also the most dangerous, and in the same order, in the 2022 list. Progress is slow, it seems. TIME TO GET PATCHING Also today, CISA added eight more flaws to its Known Exploited Vulnerabilities Catalog. These affect D-Link and Samsung devices and they are tracked as: * CVSS 9.8 — CVE-2019-17621 D-Link DIR-859 router contains a command execution vulnerability. * CVSS 7.8 — CVE-2019-20500 D-Link DWL-2600AP access points are vulnerable to command injection attacks. * CVSS 7.8 — CVE-2021-25487 Samsung mobile devices are vulnerable to out-of-bounds read. * CVSS 5.5 — CVE-2021-25489 Samsung mobile devices contain an improper input validation flaw. * CVSS 6.4 — CVE-2021-25394 Samsung mobile devices are susceptible to a race condition vulnerability. * CVSS 9.0 — CVE-2021-25395 another race condition bug in Samsung mobile devices, but this one's critical. * CVSS 6.7 — CVE-2021-25371 an unspecified flaw in Samsung mobile devices. * CVSS 6.7 — CVE-2021-25372 Samsung mobile devices contain an improper boundary check vulnerability. Number four, however, was one of the "biggest movers" on the list, jumping from the seventh spot last year to the fourth-ranked most dangerous issue this year. It's CWE-416, or use-after-free. This type of exploitable bug is when a program, remote service, or operating system component releases memory that's no longer needed, and then continues to use it anyway. At that point, it's relying on memory that could be, say, manipulated by some other code, and can lead to crashes or hijacking of execution. Again, memory-safe languages are useful here as they abstract away this fiddly memory management, or ensure insecure memory use is blocked. Some of the other biggest movers up the list, according to MITRE, include CWE-862, which covers missing authorization bugs. This weakness jumped from sixteenth position last year to number 11 in 2023. Additionally, CWE-269 (improper privilege management) moved up seven places to 22 on the list, and CWE-863 (incorrect authorization) went from rose four ranks to number 24. * A (cautionary) tale of two patched bugs, both exploited in the wild * Apple squashes kernel bug used by TriangleDB spyware * Third MOVEit bug fixed a day after PoC exploit made public * June Patch Tuesday: VMware vuln under attack by Chinese spies, Microsoft kinda meh There's also a couple new entries to this year's list: CWE-269 (improper privilege management), in 22nd place, and CWE-863 (incorrect authorization) as a newcomer in 24th. "CWEs are becoming more and more prevalent in vulnerability exposure conversations as the community looks to avoid the root causes that can become vulnerabilities," according to MITRE. To this end, the nonprofit will publish a series of reports over the next few months that aim to help organizations "more effectively" use the Top 25 list. These will cover a range of topics including weaknesses that didn't quite make the Top 25 — but orgs should still be aware of them. It will also publish a report on trends in CWEs over the last four years, and a report on actively exploited weaknesses based on CISA's catalog. ® Get our Tech Resources Share SIMILAR TOPICS * Cybersecurity and Infrastructure Security Agency * Security * Vulnerability More like these × SIMILAR TOPICS * Cybersecurity and Infrastructure Security Agency * Security * Vulnerability NARROWER TOPICS * 2FA * Advanced persistent threat * Application Delivery Controller * Authentication * BEC * Black Hat * Bug Bounty * Common Vulnerability Scoring System * Cybercrime * Cybersecurity * Cybersecurity Information Sharing Act * Data Breach * Data Protection * Data Theft * DDoS * Digital certificate * Encryption * Exploit * Firewall * Hacker * Hacking * Identity Theft * Incident response * Infosec * Kenna Security * NCSAM * NCSC * Palo Alto Networks * Password * Phishing * Quantum key distribution * Ransomware * Remote Access Trojan * REvil * RSA Conference * Spamming * Spyware * Surveillance * TLS * Trojan * Trusted Platform Module * Wannacry * Y2K * Zero Day Initiative * Zero trust BROADER TOPICS * Federal government of the United States SIMILAR TOPICS Share 3 COMMENTS SIMILAR TOPICS * Cybersecurity and Infrastructure Security Agency * Security * Vulnerability More like these × SIMILAR TOPICS * Cybersecurity and Infrastructure Security Agency * Security * Vulnerability NARROWER TOPICS * 2FA * Advanced persistent threat * Application Delivery Controller * Authentication * BEC * Black Hat * Bug Bounty * Common Vulnerability Scoring System * Cybercrime * Cybersecurity * Cybersecurity Information Sharing Act * Data Breach * Data Protection * Data Theft * DDoS * Digital certificate * Encryption * Exploit * Firewall * Hacker * Hacking * Identity Theft * Incident response * Infosec * Kenna Security * NCSAM * NCSC * Palo Alto Networks * Password * Phishing * Quantum key distribution * Ransomware * Remote Access Trojan * REvil * RSA Conference * Spamming * Spyware * Surveillance * TLS * Trojan * Trusted Platform Module * Wannacry * Y2K * Zero Day Initiative * Zero trust BROADER TOPICS * Federal government of the United States TIP US OFF Send us news -------------------------------------------------------------------------------- OTHER STORIES YOU MIGHT LIKE US GOVERNMENT HIT BY RUSSIA'S CLOP IN MOVEIT MASS ATTACK CISA chief tells us exploitation 'largely opportunistic', not on same level of SolarWinds CSO14 days | 7 GUESS WHAT HAPPENED TO THIS US AGENCY USING OUTDATED SOFTWARE? Infosec in brief Also: Hackers target security researchers, MaaS model flourishing, and this week's vulnerabilities Patches11 days | 16 A (CAUTIONARY) TALE OF TWO PATCHED BUGS, BOTH EXPLOITED IN THE WILD One affects VMware's monitoring tool and the other TP-Link routers Patches8 days | 8 TACKLING THE CYBER SKILLS GAP WITH AI Why the future of cyber security could be fully autonomous where the AI works independently Sponsored Feature WARNING: JAVASCRIPT REGISTRY NPM VULNERABLE TO 'MANIFEST CONFUSION' ABUSE Failure to match metadata with packaged files is perfect for supply chain attacks Research2 days | 10 EX-FBI EMPLOYEE JAILED FOR TAKING CLASSIFIED MATERIAL HOME Infosec in brief Also: a PII harvest at Dole's server farm, military members mailed mystery smartwatches, and this week's critical vulns CSO4 days | 55 GOOGLE BUG BOUNTIES INCH CLOSER TO MICROSOFT'S PAYOUTS Chocolate Factory paid a record $12m in 2022 Security6 days | 8 ONLINE MUGGERS MAKE SERIOUS MOVES ON UNPATCHED MICROSOFT BUGS Win32k and Visual Studio flaws are under attack Security20 days | 3 JUNE PATCH TUESDAY: VMWARE VULN UNDER ATTACK BY CHINESE SPIES, MICROSOFT KINDA MEH Plus: Adobe, SAP and Android push updates Patches16 days | 2 TO KILL BLACKLOTUS MALWARE, PATCHING IS A GOOD START, BUT... ...that alone 'could provide a false sense of security,' NSA warns in this handy free guide for orgs CSO7 days | 4 LATEST SUSE LINUX ENTERPRISE GOES ALL IN WITH CONFIDENTIAL COMPUTING But you'll need the right hardware to take advantage Sysadmin Month9 days | 2 APPLE SQUASHES KERNEL BUG USED BY TRIANGLEDB SPYWARE Snoops may be targeting macOS in addition to iPhones, Kaspersky says Patches8 days | 3 The Register Biting the hand that feeds IT ABOUT US * Contact us * Advertise with us * Who we are OUR WEBSITES * The Next Platform * DevClass * Blocks and Files YOUR PRIVACY * Cookies Policy * Your Consent Options * Privacy Policy * T's & C's Copyright. All rights reserved © 1998–2023