Mitre shared its findings of the most dangerous software vulnerabilities using its Common Weakness Enumeration (CWE) scale, a community developed list of software and hardware weakness types. The list details the common vulnerabilities which can give cybercriminals the ability to access machines to steal data or even cause crashes.
The team leveraged Common Vulnerabilities and Exposures (CVE®) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record. A formula was applied to the data to score each weakness based on prevalence and severity.
The top three common weakness are the following:
1. Out of bounds Write
Topping the most dangerous software vulnerability list is CWE-78: Out of bounds Write.
According to Mitre, “The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.”
2. Improper Neutralization of Input During Web Page Generation (‘Cross site Scripting’)
Coming in second place is improper neutralization of input during web page generation or cross-site scripting (XSS). Mitre says, “The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. These vulnerabilities occur most often when untrusted data enters a web application, typically from a web request.”
3. Out of Bounds Read
The software reads data past the end, or before the beginning, of the intended buffer. This can allow attackers to read sensitive information from other memory locations or cause a crash.
A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string.
The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow.
The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results.
Patch Those Software Vulnerabilities
Developers, testers, users, project managers, security researchers, and even educators should check their network systems for the most severe and current security weaknesses. Applying security patches is one of the key things organizations can do to protect their networks.