Skip to content Skip to footer
0 items - $0.00 0
Menu

It’s 2023 and out-of-bounds write bugs are still number one by mfiguiere

0CommentsShare Post
It’s 2023 and out-of-bounds write bugs are still number one by mfiguiere
News

It’s 2023 and out-of-bounds write bugs are still number one by mfiguiere

June 29, 2023
0Comments
Share This Article
Share Post
Newsletter

Sed ut perspiciatis unde.

Subscribe

Send to HN

The most dangerous type of software bug is the out-of-bounds write, according to MITRE this week. This type of flaw is responsible for 70 CVE-tagged holes in the US government’s list of known vulnerabilities that are under active attack and need to be patched, we note.

Out-of-bounds write, sometimes labeled CWE-787, also took the top spot in 2022, showing a distinct lack of improvement.

An out-of-bounds write happens when software (and sometimes hardware) alters memory it’s not supposed to, such as by writing data to a memory buffer and overshooting the end of that buffer, causing it to unexpectedly change other variables and information or just crash. That kind of bug can be triggered accidentally through normal operation, or it can be triggered deliberately by exploit code.

Typically, exploit code will induce an out-of-bounds write to alter data structures so that the flow of execution is hijacked and diverted in a way the attacker chooses, allowing them to take control of the software, be it an application, a remote service, or part of an operating system. Ideally, software should be written to prevent this kind of overwrite, and using memory-safe languages like Rust can help here.

Number two on MITRE’s list is the less complex but still annoying cross-site scripting bug (CWE-79), which was key in four CVEs in the known exploited vulnerabilities catalog maintained by Uncle Sam’s CISA. This bug type is a fancy form of a failure to sanitize user input.

Number three — SQL injection flaws (CWE-89) — account for four known exploited bugs in the CISA catalog. Again, another form of input sanitization failure. Clean and neutralize your inputs, people. You can’t assume all your users are nice.

MITRE compiles the annual CWE Top 25 list by analyzing public vulnerability data in America’s National Vulnerability Database. This year’s list is based on 43,996 CVE records for vulnerabilities in 2021 and 2022, and was issued in hand with US Homeland Security and CISA.

“These weaknesses lead to serious vulnerabilities in software,” the cybersecurity agency warned t

Read More

Tags:
0Likes
Leave a comment

Leave a comment

In the Shadows of Innovation”

© 2025 HackTech.info. All Rights Reserved.

Sign Up to Our Newsletter

Be the first to know the latest updates

Whoops, you're not connected to Mailchimp. You need to enter a valid Mailchimp API key.