back to article Five Eyes nations detail dirty dozen most exploited vulnerabilities

If you're wondering what patches to prioritize, ponder no longer: An international group of cybersecurity agencies has published a list of the 12 most commonly exploited vulnerabilities of 2022 – a list many will recognize.  The coalition of officials from the US, Australia, Canada, New Zealand and United Kingdom's various …

  1. ChoHag Silver badge

    > "They brought in industrial volumes of cocaine that have no doubt contributed to further waves of crime and misery in our communities."

    Have we seen any of this crime and misery or do we just assume drugs -> junkie -> crime?

    The only crime here is the price of cocaine.

    Well, and the smuggling.

    1. Arthur the cat Silver badge

      Have we seen any of this crime and misery or do we just assume drugs -> junkie -> crime?

      In my experience cocaine + sales entities(*) ≡ crimes against humanity.

      In such cases the death penalty would be letting them off lightly.

      (*) Also bankers, metals traders, trustafarians, anybody called Tarquin, …

  2. b0llchit Silver badge

    A lot of companies bought kit and have no idea what they bought or how to support it. They followed the sales guy, put the connectors in the appropriate sockets, turned the damn thing on and left it there.

    Is anybody still wondering why old gear is remotely accessible and pwn'able?

    1. IGotOut Silver badge

      I'd flip that a little.

      People bought gear of salesman.

      People saw extortionate prices of annual "maintenance" and went "Fuck that"

      Patches are only available to those on support contract.

      No patching done.

      This is no joke. Some of the kit I used to work on, the annual "support" was almost as much as the gear. Being telecoms gear, the need for support was almost non-existant. In fact, the only time you're likely to get a failure is a borked update.

      1. DoContra

        For proper telecoms gear (ie, speaks something other than Ethernet via copper/fibre optics) I can sort of understand that posture (offer not valid for telcos/encryption endpoints for customer-data traffic). Otherwise, why not cobbled together GNU/Linux install / router-oriented Linux distro? Other than the antivirus bit[1] (and mayyyyyyyyyybe the anti-spam solution[2]), you'll get either the same software as the proprietary turn-key solution (admittedly will all its gory details) or something super close enough.

        And even I have to admit that there are companies that do the right thing (TM) regarding support for old kit. I run a fleet of old (circa 2012-2014) Mikrotik[3] Wi-Fi routers (493 series) which have regular software updates/upgrades without the need of a support contract[4] to this day, and ship with some pretty advanced features for the hardware they sell (VPN client/server -- even Wireguard in later versions! --, RIP/OSPF support, apcupsd -- local only IIRC, virtualization, etc.). I have to admit to my eternal shame to largely not upgrading these, but due to how these are deployed (and their uptime requirements), most everybody in my work is on the "known broken" camp (as opposed to my preferred "new shiny exiting borkage!" camp)

        [1]: I've seen some nasty comments/reviews regarding clamav dotted around the internet, and IME it hasn't caught anything, mostly because [2].

        [2]: spam-assassin (via amavisd-new which adds more checks/integrates antivirus in a single milter) has been working super, super well for me. Its biggest weakness (and I believe it's mainly because I haven't enabled integrations to paid antispam subscription services/my e-mail traffic is primarily in/for a non-english-speaking crowd) are phishing e-mails from compromised e-mail accounts of otherwise valid domains. (I "have setup" -- accepted the default debian config of -- amavisd to outright block e-mails with executable attachments -- PE/ELF executables, VBS scripts, etc).

        [3]: I respect the hardware (esp. when I get to flash OpenWRT on it :) ), not quite the biggest fan of the software (UIs -- web and Winbox -- are kinda whack, console is fully-featured and very tractable if you're used to Cisco-esque environments -- it even has a half-decent autocomplete!).

        [4]: You do need a valid license to use it, which for my practical purposes comes in flash with the hardware (and dies when the internal flash dies). The license comes in five levels with different access to features, but all Hardware I've paid attention to has either come with the 3rd level (bang-on middle, good enough for my needs), or the full monty. You can license just the software and then BYOServer, but I never had/felt the need to.

  3. Roj Blake Silver badge

    Five Eyes List...

    ...the exploits that are already in the public domain rather than the ones they're the only people who know about and are actively exploiting.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like