back to article Five Eyes infosec agencies list 2023's most exploited software flaws

The cyber security agencies of the UK, US, Canada, Australia, and New Zealand have issued a list of the 15 most exploited vulnerabilities in 2023, and warned that attacks on zero-day exploits have become more common. "More routine initial exploitation of zero-day vulnerabilities represents the new normal which should concern …

  1. Furious Reg reader John

    "Slack patching remains a problem – which is worrying as crooks increasingly target zero-day vulns" - erm, I might be wrong, but Zero-day vulns by definition do not have patches?

    1. Alumoi Silver badge

      Yeah, they do. It's called Q&A testing and it used to be thing. Now we have the paying customers as alpha testers, so who careas? We've got their money.

      1. The Man Who Fell To Earth Silver badge
        FAIL

        This is where lawyers could be useful

        To start suing the crap out of companies who don't follow secure by design & don't devote much to QA & security testing. As it stands now, companies pumping out crappy code don't really face any significant consequences. But hey, that new ribbon really looks good. And that AI fairy dust is so sparkly & shiny.

        1. FirstTangoInParis Bronze badge

          Re: This is where lawyers could be useful

          So I guess the thing with Secure By Design is that most if not all products featured here have code bases stretching back years if not decades. If I’ve understood correctly, SBD would like the manufacturers to scrap all their code and rewrite it from scratch using an SBD architecture, a memory safe language and really extensive QA testing. So that would take quite a while and quite a lot of money. Fundamentally, the CSuite aren’t going there.

        2. Claptrap314 Silver badge
          Black Helicopters

          Re: This is where lawyers could be useful

          If you read that contract that your company signed, you will find that you cannot do that.

    2. Don Dumb

      My understanding of the zero-day definition is that real exploits are in the wild at the point of disclosure, so they *are* being exploited from the start (effectively it is actively being attacked on day zero of the vunerability being made public). Not that patches don't necessarily exist, but the race to patch before an exploit is out there has been lost before it started.

      Although, like everything these days the definition has been misused so much it probably doesn't matter

  2. Richard 12 Silver badge
    WTF?

    Useless CVE, Microsoft

    affected from 16.0.1 before https://aka.ms/OfficeSecurityReleases

    HTF am I supposed to check whether that's patched?

  3. SnailFerrous
    Big Brother

    I'm assuming that none of these are the zero days vulnerabilities that the Five Eyes spooks themselves exploit.

    1. Doctor Syntax Silver badge

      Yes, last year's access ports. What they're using now will be listed next year.

    2. CowHorseFrog Silver badge

      So if you dont trust your government, then why do you live in that country ?

      1. MyffyW Silver badge

        if you don't trust your government, then why do you live in that country?

        A couple of reasons I can think of:

        - Limited options for emigration

        - The knowledge that any candidate second countries that will let you in are similarly embuggered

        - The cultural attachment one has to one's homeland

        - The fact that a healthy distrust of government might be a good thing

        Plus - and I'll admit I remain hopelessly optimistic in this regard - the belief that it's better to remain and try to make things better, rather than run

        1. CowHorseFrog Silver badge

          Re: if you don't trust your government, then why do you live in that country?

          Myffyw: - Limited options for emigration

          cow: your reply implies ther eare options,...

          Are you one of the many that wave your flag like an idiot and have a few hanging outside your home ?

          1. Benegesserict Cumbersomberbatch Silver badge

            Re: if you don't trust your government, then why do you live in that country?

            For all that her other points are valid, MyffyW's 4th reason is the only one I need.

            Everyone wishes for a world where police are unnecessary. The reality is I'm comforted by the knowledge that, since they are necessary, my country's police have been trained in the law, and in human rights law specifically. And that if I had a problem with the police, someone is watching them, too, a lawyer is on my side, and an impartial judge is no more than 24h away..

            Everyone wishes for a world where spy agencies are unnecessary, but I'm comforted by the fact that my country's spy agencies publically encourage IT security, but they have no say in what I choose to do with the internet. And that they don't have close personal and political ties with my country's police.

      2. Anonymous Coward
        Anonymous Coward

        About Your Choice Of Residence...............

        @CowHorseFrog

        You mentioned trust...you mentioned "government".....

        ....but every day people use Amazon, Microsoft, Google, Meta....all interactively snooping on each and every transaction.......

        I should think these organisations are more of a threat than "government"..............

        ............and these four will be snooping on your life....WHEREVER YOU LIVE...........

        1. CowHorseFrog Silver badge

          Re: About Your Choice Of Residence...............

          AC: but every day people use Amazon, Microsoft, Google, Meta....all interactively snooping on each and every transaction.......

          cow: Really - i had no idea ?

          Hang on this thread is not about any of them , but was a response about a government, they arent the same thing.

      3. 'bluey

        Some might say that the country belongs to its people, not the government.

        I know politicians everywhere will disagree...

  4. Captain Hogwash Silver badge

    These would be great

    read out in reverse order with the voice of a 1970s radio DJ.

    1. Roj Blake Silver badge

      Re: These would be great

      That depends upon which 1970s radio DJ you're talking about...

      1. Eponymous Bastard
        Happy

        Re: These would be great

        Tom Browne would be my choice - a great voice, but I know what you're getting at!

      2. RegGuy1
        Coat

        Re: These would be great

        That depends upon which 1970s radio DJ you're talking about...

        Jimmy Saville?

        Now then, now then...

        Icon, for obvious reasons ----->

  5. Will Godfrey Silver badge
    Facepalm

    But... but

    Profits!

  6. CowHorseFrog Silver badge

    How is Atlassian only 7th and Microsoft only 14th ?

    1. RegW

      Is your surprise because you expect Microsoft to be higher up the list than Alassian, or that both are not higher?

      Perhaps, the spooks (and everyone else) has realised that Confluence is only there as lip service to documentation. If its there at all, then it years out-of-date and the bad guys are welcome to it.

      Microsoft netlogin vulnerabilities are only an issue if you use Windows and connect to the internet in some way, and who does that? What? Surely not!

      1. CowHorseFrog Silver badge

        I expected both to be much higher than their respective places.

  7. G40
    Facepalm

    What?

    Seriously is Implementation language a data point here? Java looks over represented

  8. DS999 Silver badge

    Who needs 0 days

    When based on this list containing many examples of stuff that was patched in previous years it is apparent that unless you are looking to attack a specific target that actually follows best practices you can just google for exploit code of something fixed two years ago and bob's your uncle!

  9. Anonymous Coward
    Anonymous Coward

    "whac-a-mole". Very nice with tortilla chips.

  10. Vocational Vagabond
    Unhappy

    Unlike the author ...

    ... here's a link to the whole list of fifteen, from "2023", https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-317a , Ooooh looky there, it's got a link to each CVE, with name, and affected software by title !!

    Realizing by the second paragraph I'd have to wade through it blow by blow, to obtain the content of said list I stopped reading. All your style achieved was devaluation of your content, and wasting your readers time.

    For context I would have appreciated the actual list, and, probably like many other readers here, insightful commentary on the list as a whole, That is a poor effort, while some hacks here may enjoy self servicing word games, I'd rather assess the list directly, and would have appreciated that more.

    Pity the editor's correction, didn't stretch to an apology for the wasting of readers time.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like