News

MITRE specialists published a list of 25 most dangerous threats that can lead to vulnerabilities

Representatives of the MITRE organization prepared an updated list of 25 most dangerous problems and shortcomings in the software, which can lead to vulnerabilities and can be used by attackers for hacking systems.

This time, the top 25 was compiled on the basis of its own MITRE data, information from the NVD (National Vulnerability Database), as well as CVSS. Previously, the list was built on the basis of surveys and personal interviews with developers, leading security analysts, researchers and vendors.

“These weaknesses are often easy to find and exploit. They are dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working”, — write MITRE specialists.

Problems from this list have their own CWE identifiers (not to be confused with CVE) – Common Weakness Enumeration. CWEs differ from CVEs, in fact, the former are the forerunners of the latter, so CWEs directly result in vulnerabilities.

CWEs are divided into more than 600 categories, and this year the list was supplemented by CWEs, which combine very extensive classes of various problems, for example, CWE-20 (incorrect input verification), CWE-200 (information disclosure) and CWE-287 ( incorrect authentication).

Read also: IS Research: Small Business Does Not Update Critical Software

The top 10 problems identified by MITER specialists can be seen in the table below. Points were assigned to problems based on how often the CWE serves as a starting point for the actual vulnerability, as well as the severity of its potential exploitation.

Rank ID Name Score
[1] CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 75,56
[2] CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 45,69
[3] CWE-20 Improper Input Validation 43,61
[4] CWE-200 Information Exposure 32,12
[5] CWE-125 Out-of-bounds Read 26,53
[6] CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 24,54
[7] CWE-416 Use After Free 17,94
[8] CWE-190 Integer Overflow or Wraparound 17,35
[9] CWE-352 Cross-Site Request Forgery (CSRF) 15,54
[10] CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 14,1
[11] CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) 11,47
[12] CWE-787 Out-of-bounds Write 11,08
[13] CWE-287 Improper Authentication 10,78
[14] CWE-476 NULL Pointer Dereference 9,74
[15] CWE-732 Incorrect Permission Assignment for Critical Resource 6,33
[16] CWE-434 Unrestricted Upload of File with Dangerous Type 5,5
[17] CWE-611 Improper Restriction of XML External Entity Reference 5,48
[18] CWE-94 Improper Control of Generation of Code (‘Code Injection’) 5,36
[19] CWE-798 Use of Hard-coded Credentials 5,12
[20] CWE-400 Uncontrolled Resource Consumption 5,04
[21] CWE-772 Missing Release of Resource after Effective Lifetime 5,04
[22] CWE-426 Untrusted Search Path 4,4
[23] CWE-502 Deserialization of Untrusted Data 4,3
[24] CWE-269 Improper Privilege Management 4,23
[25] CWE-296 Improper Certificate Validation 4,06

Compared to 2011, this year new problems make up about a third of the list. However, most of the threats that were relevant at that time, are still dangerous now.

For example, among them are unlimited downloading of dangerous file types (CWE-434), SQL injection (CWE-89), and command injection (CWE-78). Nevertheless, it is worth noting that many old participants in the threat top still noticeably lose their positions: SQL injections have become less common and have fallen from first place to sixth place; the use of hard-coded credentials, the CWE-798, completely dropped from seventh to nineteenth, compared to 2011.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Remove News-bpudepi.today pop-up ads (Virus Removal Guide)

News-bpudepi.today is a domain that tries to trick you into subscribing to its browser notifications…

1 day ago

Remove Doguhtam.xyz pop-up ads (Virus Removal Guide)

Doguhtam.xyz is a site that tries to trick you into subscribing to its browser notifications…

1 day ago

Remove News-xlixoti pop-up ads (Virus Removal Guide)

News-xlixoti.com is a site that tries to force you into subscribing to its browser notifications…

1 day ago

Remove Ducesousightion pop-up ads (Virus Removal Guide)

Ducesousightion.com is a domain that tries to trick you into clik to its browser notifications…

1 day ago

Remove News-xlabica.live pop-up ads (Virus Removal Guide)

News-xlabica.live is a domain that tries to trick you into clik to its browser notifications…

1 day ago

Remove Mergechain.co.in pop-up ads (Virus Removal Guide)

Mergechain.co.in is a site that tries to trick you into subscribing to its browser notifications…

1 day ago