MITRE’s Top 25 Most Dangerous Software Errors

By Shaina Raskin

Modern security teams are inundated with the number of weaknesses and corresponding vulnerabilities that are announced every week. It’s not surprising why organizations struggle to decide which vulnerabilities are the most critical to patch. With many enterprises focused on modernization and new agile technologies, often critical weaknesses within the rest of the stack are often overlooked. Luckily many organizations like MITRE provide information to help people prioritize their attention. Every year MITRE updates the Top 25 Most Dangerous Software Errors  (CWE Top 25); a list of the top software weaknesses.

How does MITRE decide what is a dangerous weakness?

The CWE Top 25 is a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software. These weaknesses are often easy to find and exploit. They are dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working. They use a data-driven approach to determine the level of prevalence and danger each weakness presents (more information can be found here). In MITRE’s most recent report, it ranked CWE-119 as the most dangerous weakness.

CWE-119: the #1 most dangerous weakness

CWE-119 is one of a dozen different categories of software weaknesses. CWE-119 is defined as the “improper restriction of operations within the bounds of a memory buffer.” This weakness encompasses a larger class of errors that includes buffer overflows, integer overflows and out-of-bounds reads. This category of vulnerability is found in all software whether that be operating systems, web servers, desktop applications and mobile apps. Buffer overflow vulnerabilities are not a new security problem, in fact the first known exploit of a buffer overflow occurred in 1988 with the Morris Worm.2 A buffer overflow occurs because of how the operating system loads a program in memory on the stack. If a program doesn’t check the boundaries of input values to fit the local variables, it could write beyond the intended space available for these variables. In the best case this will overwrite other variables but in the worst case, it will overwrite the return address. By overwriting the return address, an attacker can modify the execution logic of the running program and take over control when the function returns. For an in-depth look at memory-buffer attacks check out OWASP. With the highly prevalent nature of buffer overflows it is a constant battle for organizations to determine whether they should fix the issue or keep focusing on Line of Business goals.

Why is the weakness so dangerous?

Today, 70% of exploited vulnerabilities are memory-buffer exploits, which fall within the CWE-119 category. In order to protect themselves from any known or unknown vulnerabilities, organizations rely on vendor patches. Many of which come too late in the case of an attack or exploit code being released. Organizations should not have to rely on software updates to keep their mission critical systems and customer data secure. While software vendors continue to eliminate memory-buffer vulnerabilities by introducing better coding practices, compiler flags and fuzzers to detect overflows, these efforts are often complex and not always enough to eliminate the exploits used in a variety of cyberattacks. This is because many memory-based attacks use fileless exploits to bypass system defenses, meaning they use the victim’s software against itself.

Eliminating CWE 119 from your systems

However, there is hope for stopping these attacks in their tracks. With Polymorphing you can eliminate the entire class of memory-based weaknesses with no change to user or developer behavior. Polymorphing takes your operating system’s source code and runs it through a polymorphic compiler, changing register usage, function locations, import tables and other targets. This produces individually unique binaries that are semantically equivalent to the source. Polymorphing applies the compiler to the totality of the Linux stack protecting your system from memory-based threats, even if it is unpatched.

To see which weaknesses Polymorphing removes, please see the Polyverse Weakness Report Tool.

Learn more about CWE-119 and memory-based threats to your operating system in our latest paper on Which Weaknesses Matter. Or watch our latest webinar on Why Fileless Attacks Should Keep you up at Night.

Interested in learning more?

Be the first to hear about the latest product releases and cybersecurity news.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.