Modern security teams are inundated with the sheer number of weaknesses and corresponding vulnerabilities that are announced so it’s not surprising why organizations struggle to decide which patches are the most critical. With the focus on internet connected customer-facing applications critical weaknesses within the rest of the stack are often overlooked. Luckily many organizations like MITRE work to update a public database that classifies these vulnerabilities and weaknesses based on severity. There is an important difference to note between a weakness and a vulnerability: a weakness is a software error that hackers use to gain access to a system or a network and leads to software vulnerabilities. In MITRE’s most recent report, the 2020 Common Weakness Enumeration Top 25 Most Dangerous Software Errors, it ranked CWE-119 as the most dangerous weakness.
Unless you spend most of your time looking at all of the numerous weakness classifications it is easy to disregard CWE-119, which is one of a dozen different categories. CWE-119 is defined as the “improper restriction of operations within the bounds of a memory buffer. This weakness encompasses a larger class of errors that includes buffer overflows, integer overflows and out-of-bounds reads. This category of vulnerability is found in all software whether that be operating systems, web servers, desktop applications and mobile apps. With the prevalence of this weakness it is so surprising that more organizations do not put additional effort into protecting themselves from them. Buffer overflow vulnerabilities are not a new security problem, in fact the first known exploit of a buffer overflow occurred in 1988 with the Morris Worm. A buffer overflow occurs because of how the operating system loads a program in memory on the stack. If a program doesn’t check the boundaries of input values to fit the local variables, it could write beyond the intended space available for these variables. In the best case this will overwrite other variables but in the worst case, it will overwrite the return address. By overwriting the return address, an attacker can modify the execution logic of the running program and take over control when the function returns. For an in-depth look at memory-buffer attacks check out OWASP’s run through.
With 70% of vulnerabilities being memory-buffer exploits, organizations need to take matters into their own hands and not solely rely on patching, especially when these can come too late. Organizations should not have to rely on software updates to keep themselves secure. While vendors continue to eliminate memory-buffer vulnerabilities by introducing better coding practices, compiler flags and fuzzers to detect overflows, these efforts are often complex and not always enough to eliminate cyberattacks. However, there is hope for stopping is weakness in its tracks. With Polymorphing you can eliminate the entire class of memory-based weaknesses with no change to user or developer behavior.