back to article Here's a list of the flaws Russia, China, Iran and pals exploit most often, say Five Eyes infosec agencies

Western cybersecurity agencies have published a list of 30 of the most exploited vulnerabilities abused by hostile foreign states in 2020, urging infosec bods to ensure their networks and deployments are fully patched against them. Number one on the US, UK, and Australia's jointly published [PDF] list was the well-known Citrix …

  1. Anonymous Coward
    Anonymous Coward

    sed quis custodiet ipsos custodes?

    But who shall guard the guards themselves?

  2. TJ1

    It's in the name!

    So, if it has "Secure", "VPN", "net", "IP", or "Microsoft" in the name don't trust it !?

  3. Mike 137 Silver badge


    Looking this dozen up on the CVE, I find:

    four failures to sanitize properly;

    two failures to parse properly;

    one failure to validate properly;

    one poor encryption implementation;

    one instance of development code left in release;

    one instance of open access to script components;

    one instance of poor memory management;

    one instance of uncontrolled file write.

    All these are really quite basic errors that should at least shown up under pre-release testing, and it's interesting (and disturbing) that over half of them are failures to ensure input is valid and legal.

    1. Headley_Grange Silver badge

      Re: Causes

      Good work - and maybe not surprising. Releasing good code is expensive. I guess that an analogy is safety critical development (SIL, SW01, DO-178, etc). These standards don't just focus on development, coding and testing, but on the company environment and processes that surround and support them from design concepts to in-service support. It makes SW development in these environments expensive, a bit less fun sometimes, and it makes it much harder for a director to shout "just fucking release it or we'll miss this quarter's numbers".

      I don't think we'll ever see security equivalents of these safety standards, partly because of the expense but mainly because of today's expected rapid turnover of product and introduction of new features.

    2. Pascal Monett Silver badge

      So basically programmer lazyness. Apart from a poor encryption implementation (hey, encryption is hard, okay ?), none of the other causes have any sort of valid excuse.

      1. Mike 137 Silver badge

        "Apart from a poor encryption implementation..."

        Actually, the error was to default the key field to all zeros, so if a user entered key of all zeros it could sometimes allow access. Even I - definitely not a cryprographer - know the default should be random and different every time.

      2. martinusher Silver badge

        >So basically programmer laziness

        Maybe, but there could be a lot of other explanations. The most likely based on my own experience is that there's just too many bases to cover and too few people to cover them. Management tends to underestimate both the scope and depth of problems, both tangible and likely, because it impacts schedules. They're particularly sensitive about programmers who are not actively working on a project they can book hours against even though those programmers may be doing what could be described as essential QA functions. (In my experience QA departments are very good at finding user interface bugs and other directly operational problems, they're also good at running canned test programs and certification scripts. What they're not very good at is really subtle problems because these actions have to deliberately look for trouble, they're more of a developer role than a tester.)

        Anyway, its a bit unfair to just describe programmers as 'lazy'. Its a typical 'never done complex development in a team environment' statement, the sort of thing you get from disconnected managers.

    3. Julz

      Re: Causes

      Yep, all the sort of things that used to be picked up in testing. I guess you get what you don't pay for.

  4. Allan George Dyer

    Fantastic List...

    Can they follow up with a list of the the most exploited vulnerabilities abused by friendly states?

    1. Pascal Monett Silver badge

      Define friendly

      1. Allan George Dyer

        As defined by Five Eyes infosec agencies, obviously. I'm guessing that is basically the Five Eyes infosec agencies themselves, but who knows? And is there a third category: neutrals? Maybe not, anyone who spies and doesn't share with Five Eyes infosec agencies would go straight into hostile.

        I'm also guessing my downvotes are from Five Eyes infosec agencies, hi there, you know where I live.

        1. Julz

          Well, given the way the agencies are split into cells, I'm not sure any of them would know what they themselves are doing. Probably got a better chance of discovering what their sister agencies are up to.

        2. Anonymous Coward

          "I'm also guessing my downvotes are from Five Eyes infosec agencies"

          You can't see their votes!

  5. Anonymous Coward
    Anonymous Coward


    Now we have a list of vulnerabilities that the US, UK, and Australia haven't been able to weaponize.

    1. veti Silver badge

      Re: Great

      I would assume they considered them too obvious to bother with. After all, these are all already known and, theoretically, patched.

      The ones currently in use will be zero days.

  6. Anonymous Coward
    Anonymous Coward

    When you see that your FTSE listed employer has bought into almost all of the systems named in the report... And you know they are poor at evergreening patches out. (Head-desk).

  7. mark l 2 Silver badge

    Are we supposed to believe that the 5 eyes agencies wouldn't have used these same exploits to spy on hostile nations if they could?

    1. Zippy´s Sausage Factory

      Of course they're not going to tell anyone about the ones they're using, are they? Just the ones the opposition know about...

  8. Kuzo

    Five Eyes and pals

    Five Eyes and pals are very nice guys and don't exploit flaws in Russia, China and other guys

    1. Anonymous Coward
      Anonymous Coward

      Re: Five Eyes and pals

      You don't need to exploit flaws when you can have a friendly word with the companies directly. To insert - well they are at the rear and are vaguely of a doorlike nature, what should we call them ?

  9. Ropewash

    I, for one

    Would like Ru/Cn/etc to release a similar list of exploits routinely targeted by 5(i)s.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like