Vulnerabilities exist in all software, including malware. The act of writing malware doesn’t mean the programmer magically creates code that doesn’t have vulnerabilities. It just means that the programmer is looking to possibly exploit vulnerabilities by creating their own code, which may also contain vulnerabilities.
The malvuln project takes malware and looks for vulnerabilities in the software. I thought I’d take their work and compare it to another set of data from the general software vulnerabilities in 2021. Of course, this comparison doesn’t represent all the malware available, just like the general software vulnerabilities found in the Common Vulnerabilities and Exposures (CVE) data aren’t from all the software available. However, they are subsets we can analyze.
I decided to look at the type of vulnerabilities found in each set of data. That means for the vulnerabilities of 2021, I’m looking at the CVEs issued in 2021 and considering the Common Weakness Enumeration (CWE) for each one. For the malvuln data, each report has a line that identifies the kind of vulnerability found. There isn’t an exact match-up between the two sets, but I can infer similarities based on the descriptions.
I started collecting the data at the beginning of January 2021, and I downloaded new files every day from the malvuln data set. There are 226 advisories in my collection, and the types of malware include Backdoors, Trojans, Worms, Constructor, Viruses, and other malicious software. After processing the reports, I discovered that the most common vulnerability in this set is Insecure Permissions, with 87 instances out of the 226 reports or 38.5%. The next four most common vulnerabilities are Remote Stack Buffer Overflow, Missing Authentication, Unauthenticated Remote Command Execution, and Remote Denial of Service.
Turning to the CVE data from the National Vulnerability Database (NVD), so far, the top CWE for 2021 is CWE-80 (Cross-Site Scripting). It makes sense that this vulnerability is not as common for malware since most of these are
This article is purposely trimmed, please visit the source to read the full article.
The post Vulnerabilities: Everybodys Got One! appeared first on Carnegie Mellon University's Software Engineering Institute Blog.