back to article Miscreants are exploiting enterprise tech zero days more and more, Google warns

The discovery and exploitation of zero-day vulnerabilities in enterprise-specific software and appliances appears to be outpacing the leveraging of zero-day bugs overall, judging by Google's latest research. In a report published today, the web giant's Threat Analysis Group (TAG) and Mandiant division said they tracked 97 …

  1. Yorick Hunt Silver badge
    Facepalm

    When development emphasis is on "prettier" and "quicker to market" instead of building applications properly from the ground up.

    Got a finite-size buffer? Why not check for data size BEFORE you go stuffing it in there? It's not as if you lack CPU cycles these days (trust me, I used to write in Z80 assembler). Ditto for data types. And never assume that a value being passed to a function is valid just because that function's being fed by your own code.

    1. DS999 Silver badge

      You don't always know how big your data is

      Think about sprintf() as just one example, but a lot of stuff is like that where you call a function with a buffer and it fills the buffer for you. Sometimes the function is to blame, because it will claim that the maximum size is say 1024 bytes but some clever bastard finds a way to fool it into making it generate more than it thinks it can. Maybe it malloc()s for you, but calculates wrong because someone is making it do something it wasn't intended to do.

      Other times it is down to programmer laziness, they'll allocate a buffer of a given size they think is triple the biggest possible size you'd ever need but the clever bastards are extremely clever in finding ways to make software do things it wasn't intended to. Stuff like DNS amplification attacks are the bandwidth version of this sort of thing.

  2. Clausewitz4.0 Bronze badge
    Devil

    Unknown Actors

    including those with ties to Russia, North Korea, Belarus, China, and other unknown actors.

    Unknown Actors being NSA/CIA/MI6/GCHQ - but being El Reg a royal servant, better to not name them properly.

    1. johnandmegh

      Re: Unknown Actors

      Funny that there are downvotes for stating what is as Ann as the nose on Plain's face. A Quartz article on "Google's true origin" and the Guardian article on NSA Prism should, together, give one a good inkling of whether or not Google would be unbiased in attributing malware to "friendly" nation-state attackers.

      1. Michael Wojcik Silver badge

        Re: Unknown Actors

        Perhaps the downvotes are because the Register has no problem naming NSA, GCHQ, and the rest1,2. They were paraphrasing the TAG report, which does indeed list "Russia, North Korea, Belarus, China, and other unknown actors". The accusation against the editors was bullshit, and typical of a certain sort of axe-grinding that continues to pollute these forums, where some posters need to moan endlessly about a nonexistent problem.

        1Adding the CIA here, as Clausewitz4.0 did, is a bit silly, since the CIA's malware development capabilities are likely orders of magnitude smaller than the NSA's or any of the other big state actors. Might as well worry about the DEA exploiting 0days.

        2Just as no one else with any sense has any qualms about naming the NSA and friends. We all know they're spying; that's their job. We all know they hoard vulnerabilities and develop exploits; that's been amply documented for decades. It's not a fucking conspiracy when everyone says it out loud.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like