top | item 35736843

(no title)

overthrow | 2 years ago

The majority of CVEs are due to memory exploits. For C/C++ code that holds true across companies and OSs

Microsoft says 70% https://www.zdnet.com/article/microsoft-70-percent-of-all-se...

Google says 70% https://www.chromium.org/Home/chromium-security/memory-safet...

discuss

A majority of CVEs are memory exploits. A majority of attacks don't use CVEs. It's a common misconception among people on HN who don't work in the field.

Genbox|2 years ago

I work in the field and I'm not entirely sure about the cardinality of types of attacks. On one hand, there are password spaying, RDP bruteforces, email attachments, social engineering etc. On the other we have BlueKeep, ZeroLogon and the tons of RCE present in VPNs (looking at you PulseSecure), Routers, and Firewalls.

I would say that breaches often are related to RCE that ultimately derives from buffer exploitation. They are notoriously difficult to detect with forensics techniques, so they might not be discovered and tracked.

tthun|2 years ago

I don’t work in the field but do you know for a fact companies like NSO don’t use memory exploits for their attacks ? Majority of the “published” attacks is probably a better assertion.

mschuster91|2 years ago

> A majority of attacks don't use CVEs.

Depends what your definition of "attacks" is, to be precise: is an event where an adversary places a malicious ad with code exploiting a browser 0day counted as one attack or as X attacks with X being the number of infected machines?

Additionally, the same segmentation (with the same split) applies if you only count large-scale hacks against organizations as attacks, or if you're counting infected machines of everyday common people as attacks as well. Basically, if you're counting attacks on organizations, you're correct as the majority entrypoint there is social engineering and outdated exploitable software/appliances reachable from the public internet or a compromised partner connected to the victim's network.

Hasz|2 years ago

This is an excellent point. At the end of the day, rewriting is time and resource intensive. If there isn't a very good business case to backup the change, it's very difficult to justify the project.

This is why you see so many whitepapers trying to quantify things like consumer trust, reputational damage, regulatory, impact, etc. If there is a true cost to the damage, the investment in prevention can be made and compared with other requests, like new features, scope, etc.

ranger_danger|2 years ago

No need to be rude about splitting hairs.

worthless-trash|2 years ago

Tell me again that dirtycow wasn't used in the field.

NikolaNovak|2 years ago

I don't know if this is pedantic, but op indicated "attacks" not "vulnerabilities". I would not be surprised if statistics in vulnerabilities are different than statistics in realized attacks?

overthrow|2 years ago

If there's a difference I'm open to someone citing a source quantifying it, but I won't quite be convinced by unsourced blanket generalizations that go against common wisdom