"Slack patching remains a problem – which is worrying as crooks increasingly target zero-day vulns" - erm, I might be wrong, but Zero-day vulns by definition do not have patches?
Five Eyes infosec agencies list 2023's most exploited software flaws
The cyber security agencies of the UK, US, Canada, Australia, and New Zealand have issued a list of the 15 most exploited vulnerabilities in 2023, and warned that attacks on zero-day exploits have become more common. "More routine initial exploitation of zero-day vulnerabilities represents the new normal which should concern …
COMMENTS
-
-
-
Thursday 14th November 2024 13:37 GMT The Man Who Fell To Earth
This is where lawyers could be useful
To start suing the crap out of companies who don't follow secure by design & don't devote much to QA & security testing. As it stands now, companies pumping out crappy code don't really face any significant consequences. But hey, that new ribbon really looks good. And that AI fairy dust is so sparkly & shiny.
-
Thursday 14th November 2024 17:40 GMT FirstTangoInParis
Re: This is where lawyers could be useful
So I guess the thing with Secure By Design is that most if not all products featured here have code bases stretching back years if not decades. If I’ve understood correctly, SBD would like the manufacturers to scrap all their code and rewrite it from scratch using an SBD architecture, a memory safe language and really extensive QA testing. So that would take quite a while and quite a lot of money. Fundamentally, the CSuite aren’t going there.
-
-
-
Thursday 14th November 2024 18:18 GMT Don Dumb
My understanding of the zero-day definition is that real exploits are in the wild at the point of disclosure, so they *are* being exploited from the start (effectively it is actively being attacked on day zero of the vunerability being made public). Not that patches don't necessarily exist, but the race to patch before an exploit is out there has been lost before it started.
Although, like everything these days the definition has been misused so much it probably doesn't matter
-
-
-
-
Thursday 14th November 2024 13:03 GMT MyffyW
if you don't trust your government, then why do you live in that country?
A couple of reasons I can think of:
- Limited options for emigration
- The knowledge that any candidate second countries that will let you in are similarly embuggered
- The cultural attachment one has to one's homeland
- The fact that a healthy distrust of government might be a good thing
Plus - and I'll admit I remain hopelessly optimistic in this regard - the belief that it's better to remain and try to make things better, rather than run
-
-
Saturday 23rd November 2024 20:11 GMT Benegesserict Cumbersomberbatch
Re: if you don't trust your government, then why do you live in that country?
For all that her other points are valid, MyffyW's 4th reason is the only one I need.
Everyone wishes for a world where police are unnecessary. The reality is I'm comforted by the knowledge that, since they are necessary, my country's police have been trained in the law, and in human rights law specifically. And that if I had a problem with the police, someone is watching them, too, a lawyer is on my side, and an impartial judge is no more than 24h away..
Everyone wishes for a world where spy agencies are unnecessary, but I'm comforted by the fact that my country's spy agencies publically encourage IT security, but they have no say in what I choose to do with the internet. And that they don't have close personal and political ties with my country's police.
-
-
-
Thursday 14th November 2024 13:35 GMT Anonymous Coward
About Your Choice Of Residence...............
@CowHorseFrog
You mentioned trust...you mentioned "government".....
....but every day people use Amazon, Microsoft, Google, Meta....all interactively snooping on each and every transaction.......
I should think these organisations are more of a threat than "government"..............
............and these four will be snooping on your life....WHEREVER YOU LIVE...........
-
Saturday 16th November 2024 05:03 GMT CowHorseFrog
Re: About Your Choice Of Residence...............
AC: but every day people use Amazon, Microsoft, Google, Meta....all interactively snooping on each and every transaction.......
cow: Really - i had no idea ?
Hang on this thread is not about any of them , but was a response about a government, they arent the same thing.
-
-
-
-
Thursday 14th November 2024 14:16 GMT RegW
Is your surprise because you expect Microsoft to be higher up the list than Alassian, or that both are not higher?
Perhaps, the spooks (and everyone else) has realised that Confluence is only there as lip service to documentation. If its there at all, then it years out-of-date and the bad guys are welcome to it.
Microsoft netlogin vulnerabilities are only an issue if you use Windows and connect to the internet in some way, and who does that? What? Surely not!
-
-
Friday 15th November 2024 01:44 GMT DS999
Who needs 0 days
When based on this list containing many examples of stuff that was patched in previous years it is apparent that unless you are looking to attack a specific target that actually follows best practices you can just google for exploit code of something fixed two years ago and bob's your uncle!
-
Tuesday 19th November 2024 11:16 GMT Vocational Vagabond
Unlike the author ...
... here's a link to the whole list of fifteen, from "2023", https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-317a , Ooooh looky there, it's got a link to each CVE, with name, and affected software by title !!
Realizing by the second paragraph I'd have to wade through it blow by blow, to obtain the content of said list I stopped reading. All your style achieved was devaluation of your content, and wasting your readers time.
For context I would have appreciated the actual list, and, probably like many other readers here, insightful commentary on the list as a whole, That is a poor effort, while some hacks here may enjoy self servicing word games, I'd rather assess the list directly, and would have appreciated that more.
Pity the editor's correction, didn't stretch to an apology for the wasting of readers time.