Mitre reveals the most dangerous software vulnerabilities

A depiction of a bug on a blue binary background
(Image credit: Shutterstock)

The not-for-profit Mitre Corporation has published an updated list of the world's 25 most dangerous software weaknesses that have inundated applications over the last couple years.

Among the top bugs were out-of-bounds writes and improper neutralization of inputs in web page generation. Mitre said the weaknesses included in the list are “often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working.”

To compile the list, Mitre looked at Common Vulnerabilities and Exposures (CVE) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record. It applied a formula to the data to score each weakness based on prevalence and severity.

“A scoring formula is used to calculate a ranked order of weaknesses that combines the frequency that a CWE is the root cause of a vulnerability with the projected severity of its exploitation. In both cases, the frequency and severity are normalized relative to the minimum and maximum values seen,” said Mitre in a statement.

It said this approach was taken as it would provide an objective look at what vulnerabilities are currently seen in the real world, “creates a foundation of analytical rigor built on publicly reported vulnerabilities instead of subjective surveys and opinions and makes the process easily repeatable.”

RELATED RESOURCE

X-Force Threat Intelligence Index

Top security threats and recommendations for resilience

FREE DOWNLOAD

Number one on Mitre’s list was an out-of-bounds write flaw. Also known as CWE-787, this flaw happens when software writes data past the end or before the beginning of the intended buffer. This can result in corruption of data, a crash, or code execution. This scored 65.93, the highest on the list.

The next largest flaw was an improper input neutralization during web page generation or cross-site scripting bug. This is where software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page and served to other users. This scored 46.84 on the list.

Mitre said the major difference between the 2020 and 2021 CWE Top 25 lists is the continued transition to more specific weaknesses as opposed to abstract, class-level weaknesses.

“A preliminary estimate suggests that the percentage of Base-level CWEs has increased from ~60% to ~71% of all Top 25 entries, and the percentage of Class-level CWEs has decreased from ~30% to ~20% of entries. Other weakness levels (e.g., category, compound, and variant) remain relatively unchanged,” it said.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.