[HN Gopher] Top Routinely Exploited Vulnerabilities
___________________________________________________________________
Top Routinely Exploited Vulnerabilities
Author : infodocket
Score : 46 points
Date : 2021-07-29 21:44 UTC (1 hours ago)
(HTM) web link (us-cert.cisa.gov)
(TXT) w3m dump (us-cert.cisa.gov)
| fooker wrote:
| This reeks of survivorship bias.
|
| Making any decision based on this would be similar to examining
| warplanes for sign of bullets to determine which parts to
| reinforce.
|
| I'd assert that a good fraction of exploits are never
| caught/analyzed.
| huslage wrote:
| This is the best "patch your stuff" article I've ever seen.
| DaniloDias wrote:
| Fortinet's reputation remains unscathed.
| tptacek wrote:
| If you're a typical HN person, this list isn't going to be
| especially useful to you; it's basically collecting statistics
| about specific CVEs that are seen exploited in the wild, and
| those are heavily, heavily biased towards corporate IT
| infrastructure.
| croutonwagon wrote:
| What is the typical HN person.
|
| I can see usefulness here as I do manage IT infra at work.. But
| i do agree its totally different than the Exploits i see
| attemtpted on my home IPS (which are mostly Netgear, D-Link
| PHP, webexploit/injections, and camera exploit attempts.)
| GartzenDeHaes wrote:
| Probably not too many on HN using Drupal, for example. It's an
| odd-ball CMS that got implemented by a bunch of government
| agencies a decade or so ago (and most of them probably haven't
| been patched since).
| wffurr wrote:
| Mostly useful for contemplating the tragic state of security in
| corporate IT. Maybe the seed of a startup idea for fixing it.
| breckenedge wrote:
| There are already so many startups in this space. I suspect
| the solution isn't more/better technology, but taking away
| people's ability to operate IT services through higher
| insurance premiums.
| yabones wrote:
| I doubt it's even possible for a 'disruptor' to fix it - It's
| not a problem with products or services, it's a culture
| problem. Corporate IT has basically become the technical
| counterpart to middle management. Responsibility goes up the
| food chain to people who don't understand the problems, blame
| goes down to the front-line technicians, contractors, and
| often vendors who aren't capable of fixing the problems. We
| have two generations of Cisco and Microsoft evangelicals with
| no real understanding of the fundamentals. Certificate-
| culture has prioritized checkbox quizzes over real learning.
|
| It will take serious culture changes to "fix" the corporate
| IT industry. Until there are actually consequences for doing
| unsafe things or using unsafe products, people will continue
| to take shortcuts.
| afrcnc wrote:
| Why use "heavily biased" to characterize the most common entry
| points for recent state espionage operations and ransomware
| attacks.
|
| These ARE the most routinely exploited vulnerabilities.
|
| Attacks on end-consumers usually rely on social engineering,
| not vulnerability exploitation, especially because Windows,
| Mac, and Linux has been heavily fortified against basic
| exploits.
|
| Most of the CVEs on the linked list are corporate gear running
| the same firmware since the 2000s, which explains why these
| devices are so heavily targeted right now. Easy exploits, large
| payouts, win!
| akiselev wrote:
| For the split second before I read your comment I thought
| someone had discovered a vulnerability in `top` and shat a
| brick
| dylan604 wrote:
| I too had to re-read the title as my first read did not sit
| well either. I also wondered if htop is also susceptible,
| then ohhhhh. phew.
| semicolon_storm wrote:
| Two of the Microsoft CVEs (CVE-2017-11882, CVE-2020-0787) on this
| list are listed as "Exploitation Less Likely" if you view
| Microsoft's own info for those CVEs. I guess you can't trust the
| vendor to determine how exploitable a vulnerability is?
| lucb1e wrote:
| > I guess you can't trust the vendor to determine how
| exploitable a vulnerability is?
|
| Not Microsoft at least. Most vendors, and the percentage grows
| with the size of the vendor, are very coy about it. And I get
| it: it doesn't look great for your shareholders, and it gets to
| a point where yes really you should be ashamed (looking at HP
| Data Protector here (note the irony)), but if you own it up and
| also put countermeasures and hardening in place then really
| everyone is going to feel like they got their money's worth in
| the end. If instead you hide vulnerabilities, not mention them
| in changelogs so we can't even check which version is fixed or
| anything, yeah we'll be recommending the client to look at
| alternatives. (Though it's not us security consultants that
| ever recommended a sysadmin to put a proprietary VPN in place
| in the first place, but then there's more at play than purely
| the security aspect.)
|
| Microsoft's advantage, of course: try getting out of that
| ecosystem if you have everyone implicitly trained in using
| Outlook and Windows. Microsoft gets to do with their advisories
| whatever the hell they like.
| zeusk wrote:
| The page says "at the time of original publication." right
| after exploit likelihood with patch released.
|
| So it's more like victims not updating their software.
| lucb1e wrote:
| Exploitation not being likely after installing the patch is
| like saying you're not likely to fall if you lie down
| first.
|
| But yes, of course the #1 recommendation is for our clients
| to Always Install Patches Immediately. Always. And they
| never ever do it. For comparison, though, OpenSSH needed to
| be updated for a critical vulnerability last in... 2002,
| maybe? Secure protocols _can_ be done, so it 's not only
| the people not installing updates that are to blame here.
| zeusk wrote:
| Exploitation likeliness after patch doesn't really make
| sense. maybe you're reading it wrong? See the page for
| yourself.
|
| Exploitation unlikely at the time of exploit discovery.
|
| A patch has been released.
|
| This means, the reason why it shows up on the list is
| because people are running unpatched software. And it's
| really alarming because the 2017 CVE is for Office 2007
| that's ~15 years old (with a patch available!).
| lucb1e wrote:
| Then I'm not sure what you meant to say about the patch
| being available and thus the problem just being not
| updating. The "exploitation not likely" statement is
| simply wrong if it's in the top list of this agency
| right?
|
| Replying to your edit:
|
| > that's ~15 years old (with a patch available!)
|
| I haven't looked into this one, but you mention it's a
| 2017 CVE. That means the vuln was discovered (not even
| necessarily patched and disclosed) in 2017 and not 15
| years ago. The age of the product isn't the same as how
| fast they install security updates (but yeah apparently
| 2-3 years depending on the exact timeline (the stats are
| from 2020), so that's practically never).
___________________________________________________________________
(page generated 2021-07-29 23:00 UTC)