Mitre reveals the most dangerous software vulnerabilities
The list was published to create analytical rigor “instead of subjective surveys and opinions”
The not-for-profit Mitre Corporation has published an updated list of the world's 25 most dangerous software weaknesses that have inundated applications over the last couple years.
Among the top bugs were out-of-bounds writes and improper neutralization of inputs in web page generation. Mitre said the weaknesses included in the list are “often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working.”
To compile the list, Mitre looked at Common Vulnerabilities and Exposures (CVE) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record. It applied a formula to the data to score each weakness based on prevalence and severity.
“A scoring formula is used to calculate a ranked order of weaknesses that combines the frequency that a CWE is the root cause of a vulnerability with the projected severity of its exploitation. In both cases, the frequency and severity are normalized relative to the minimum and maximum values seen,” said Mitre in a statement.
It said this approach was taken as it would provide an objective look at what vulnerabilities are currently seen in the real world, “creates a foundation of analytical rigor built on publicly reported vulnerabilities instead of subjective surveys and opinions and makes the process easily repeatable.”
X-Force Threat Intelligence Index
Top security threats and recommendations for resilienceFree download
Number one on Mitre’s list was an out-of-bounds write flaw. Also known as CWE-787, this flaw happens when software writes data past the end or before the beginning of the intended buffer. This can result in corruption of data, a crash, or code execution. This scored 65.93, the highest on the list.
The next largest flaw was an improper input neutralization during web page generation or cross-site scripting bug. This is where software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page and served to other users. This scored 46.84 on the list.
Mitre said the major difference between the 2020 and 2021 CWE Top 25 lists is the continued transition to more specific weaknesses as opposed to abstract, class-level weaknesses.
“A preliminary estimate suggests that the percentage of Base-level CWEs has increased from ~60% to ~71% of all Top 25 entries, and the percentage of Class-level CWEs has decreased from ~30% to ~20% of entries. Other weakness levels (e.g., category, compound, and variant) remain relatively unchanged,” it said.
Join the 90% of enterprises accelerating to the cloud
Business transformation through digital modernisationFree Download
Delivering on demand: Momentum builds toward flexible IT
A modern digital workplace strategyFree download
Modernise the workforce experience
Actionable insights and an optimised experience for both IT and end usersFree Download
The digital workplace roadmap
A leader's guide to strategy and successFree Download