[HN Gopher] Top Routinely Exploited Vulnerabilities ___________________________________________________________________ Top Routinely Exploited Vulnerabilities Author : infodocket Score : 46 points Date : 2021-07-29 21:44 UTC (1 hours ago) (HTM) web link (us-cert.cisa.gov) (TXT) w3m dump (us-cert.cisa.gov) | fooker wrote: | This reeks of survivorship bias. | | Making any decision based on this would be similar to examining | warplanes for sign of bullets to determine which parts to | reinforce. | | I'd assert that a good fraction of exploits are never | caught/analyzed. | huslage wrote: | This is the best "patch your stuff" article I've ever seen. | DaniloDias wrote: | Fortinet's reputation remains unscathed. | tptacek wrote: | If you're a typical HN person, this list isn't going to be | especially useful to you; it's basically collecting statistics | about specific CVEs that are seen exploited in the wild, and | those are heavily, heavily biased towards corporate IT | infrastructure. | croutonwagon wrote: | What is the typical HN person. | | I can see usefulness here as I do manage IT infra at work.. But | i do agree its totally different than the Exploits i see | attemtpted on my home IPS (which are mostly Netgear, D-Link | PHP, webexploit/injections, and camera exploit attempts.) | GartzenDeHaes wrote: | Probably not too many on HN using Drupal, for example. It's an | odd-ball CMS that got implemented by a bunch of government | agencies a decade or so ago (and most of them probably haven't | been patched since). | wffurr wrote: | Mostly useful for contemplating the tragic state of security in | corporate IT. Maybe the seed of a startup idea for fixing it. | breckenedge wrote: | There are already so many startups in this space. I suspect | the solution isn't more/better technology, but taking away | people's ability to operate IT services through higher | insurance premiums. | yabones wrote: | I doubt it's even possible for a 'disruptor' to fix it - It's | not a problem with products or services, it's a culture | problem. Corporate IT has basically become the technical | counterpart to middle management. Responsibility goes up the | food chain to people who don't understand the problems, blame | goes down to the front-line technicians, contractors, and | often vendors who aren't capable of fixing the problems. We | have two generations of Cisco and Microsoft evangelicals with | no real understanding of the fundamentals. Certificate- | culture has prioritized checkbox quizzes over real learning. | | It will take serious culture changes to "fix" the corporate | IT industry. Until there are actually consequences for doing | unsafe things or using unsafe products, people will continue | to take shortcuts. | afrcnc wrote: | Why use "heavily biased" to characterize the most common entry | points for recent state espionage operations and ransomware | attacks. | | These ARE the most routinely exploited vulnerabilities. | | Attacks on end-consumers usually rely on social engineering, | not vulnerability exploitation, especially because Windows, | Mac, and Linux has been heavily fortified against basic | exploits. | | Most of the CVEs on the linked list are corporate gear running | the same firmware since the 2000s, which explains why these | devices are so heavily targeted right now. Easy exploits, large | payouts, win! | akiselev wrote: | For the split second before I read your comment I thought | someone had discovered a vulnerability in `top` and shat a | brick | dylan604 wrote: | I too had to re-read the title as my first read did not sit | well either. I also wondered if htop is also susceptible, | then ohhhhh. phew. | semicolon_storm wrote: | Two of the Microsoft CVEs (CVE-2017-11882, CVE-2020-0787) on this | list are listed as "Exploitation Less Likely" if you view | Microsoft's own info for those CVEs. I guess you can't trust the | vendor to determine how exploitable a vulnerability is? | lucb1e wrote: | > I guess you can't trust the vendor to determine how | exploitable a vulnerability is? | | Not Microsoft at least. Most vendors, and the percentage grows | with the size of the vendor, are very coy about it. And I get | it: it doesn't look great for your shareholders, and it gets to | a point where yes really you should be ashamed (looking at HP | Data Protector here (note the irony)), but if you own it up and | also put countermeasures and hardening in place then really | everyone is going to feel like they got their money's worth in | the end. If instead you hide vulnerabilities, not mention them | in changelogs so we can't even check which version is fixed or | anything, yeah we'll be recommending the client to look at | alternatives. (Though it's not us security consultants that | ever recommended a sysadmin to put a proprietary VPN in place | in the first place, but then there's more at play than purely | the security aspect.) | | Microsoft's advantage, of course: try getting out of that | ecosystem if you have everyone implicitly trained in using | Outlook and Windows. Microsoft gets to do with their advisories | whatever the hell they like. | zeusk wrote: | The page says "at the time of original publication." right | after exploit likelihood with patch released. | | So it's more like victims not updating their software. | lucb1e wrote: | Exploitation not being likely after installing the patch is | like saying you're not likely to fall if you lie down | first. | | But yes, of course the #1 recommendation is for our clients | to Always Install Patches Immediately. Always. And they | never ever do it. For comparison, though, OpenSSH needed to | be updated for a critical vulnerability last in... 2002, | maybe? Secure protocols _can_ be done, so it 's not only | the people not installing updates that are to blame here. | zeusk wrote: | Exploitation likeliness after patch doesn't really make | sense. maybe you're reading it wrong? See the page for | yourself. | | Exploitation unlikely at the time of exploit discovery. | | A patch has been released. | | This means, the reason why it shows up on the list is | because people are running unpatched software. And it's | really alarming because the 2017 CVE is for Office 2007 | that's ~15 years old (with a patch available!). | lucb1e wrote: | Then I'm not sure what you meant to say about the patch | being available and thus the problem just being not | updating. The "exploitation not likely" statement is | simply wrong if it's in the top list of this agency | right? | | Replying to your edit: | | > that's ~15 years old (with a patch available!) | | I haven't looked into this one, but you mention it's a | 2017 CVE. That means the vuln was discovered (not even | necessarily patched and disclosed) in 2017 and not 15 | years ago. The age of the product isn't the same as how | fast they install security updates (but yeah apparently | 2-3 years depending on the exact timeline (the stats are | from 2020), so that's practically never). ___________________________________________________________________ (page generated 2021-07-29 23:00 UTC)