When Errors Mean Danger - Top 25 Most Dangerous Software Errors
Cybersecurity – 7 min read

When Errors Mean Danger: Top 25 Most Dangerous Software Errors

We live in a world in which computing touches virtually every aspect of our lives, both professional and personal. That has brought many good things—and its fair share of anxieties. Financial, social, and personal security are bound up with IT in complex and permanent ways. IT security issues should be of concern to everyone.

 

MITRE and the CWE

The non-profit MITRE Corporation is funded by the United States' Department of Homeland Security. It is, in its own words, a “mission-driven team [that] is dedicated to solving problems for a safer world.” Emerging from Mitre and its mandate is the Common Weakness Enumeration (CWE) project. The CWE “is a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software.”



A weakness is thus not exactly the same thing as a vulnerability. Rather, some weaknesses may allow vulnerabilities to find their way into software under the right circumstances. Obviously, being aware of—and, if possible, addressing—weaknesses before they hit the vulnerability stage is a desirable thing.

 

The CWE rankings draw in part from the MITRE-compiled list of Common Vulnerabilities and Exposures, which is described as a list of “publicly known cybersecurity vulnerabilities.”

 

Recently, the CWE released a list of the Top 25 Most Dangerous Software Errors for 2019. Examining this list and learning more about each weakness may help you and your business set security priorities for 2020.

 

To Note

 

  • This is the first CWE Top 25 since 2011.
  • Several of the highest-ranked errors—about two-thirds of the list, in fact—are not new, but are long-standing problems. This is a reminder that some software security issues do not yield easily to solutions and require constant vigilance.
  • If you discover that you are using a software product that contains any of the flaws listed here, you should contact the provider sooner rather than later.



The List

  1. Improper Restriction of Operations within the Bounds of a Memory Buffer
  2. Cross-site Scripting, AKA Improper Neutralization of Input During Web Page Generation
  3. Improper Input Validation
  4. Information Exposure
  5. Out-of-bounds Read
  6. SQL Injection, AKA Improper Neutralization of Special Elements used in an SQL Command
  7. Use After Free
  8. Integer Overflow or Wraparound
  9. Cross-Site Request Forgery (CSRF)
  10. Path Traversal, AKA Improper Limitation of a Pathname to a Restricted Directory
  11. OS Command Injection, AKA Improper Neutralization of Special Elements used in an OS Command
  12. Out-of-bounds Write
  13. Improper Authentication
  14. NULL Pointer Dereference
  15. Incorrect Permission Assignment for Critical Resource
  16. Unrestricted Upload of File with Dangerous Type
  17. Improper Restriction of XML External Entity Reference
  18. Code Injection, AKA Improper Control of Generation of Code
  19. Use of Hard-coded Credentials
  20. Uncontrolled Resource Consumption
  21. Missing Release of Resource after Effective Lifetime
  22. Untrusted Search Path
  23. Deserialization of Untrusted Data
  24. Improper Privilege Management
  25. Improper Certificate Validation

 

The following is the CWE's top 25 software errors, from most dangerous to least dangerous. Beneath each item is a brief description. The source list provides more in-depth information on each item.

 

1. Improper Restriction of Operations within the Bounds of a Memory Buffer

This weakness can, among other things, lead to system crashes or allow an attacker to access sensitive data or execute his own code. It occurs when software can read from or write to a memory location beyond a buffer's boundary.

 

2. Cross-site Scripting, AKA Improper Neutralization of Input During Web Page Generation

Cross-site scripting problems can crop up in a number of circumstances. In all cases, however, the result is that the software fails to neutralize input that is controlled by the user—or neutralizes it in an incorrect manner—before incorporating it into web pages.

 

3. Improper Input Validation

In this instance, software incorrectly validates or fails to validate input, leaving it vulnerable to an attack in which unexpected input may be injected into the application. This can affect the program's control flow or data flow.

 

4. Information Exposure

When this happens, sensitive information is revealed to an unauthorized party. This can make the program in which the exposure has taken place more vulnerable to attack.

 

5. Out-of-bounds Read

When a buffer's limits are not respected and a program reads data before or beyond the buffer's boundaries, this constitutes an out-of-bounds read. This can lead to a system crash, or can reveal sensitive data to potential attackers.

 

6. SQL Injection, AKA Improper Neutralization of Special Elements used in an SQL Command

This is one of the more commonly encountered weaknesses on this list, as it often arises with websites that are database-driven. SQL injection occurs when software fails to neutralize parts of an SQL command from an upstream component that could potentially modify the command when it is sent to a downstream component. Because this flaw is so widely known, any database-driven program or website will likely be targeted for attack at some point.

 

7. Use After Free

Software that reuses freed memory can easily lead to data corruption. Referencing freed memory may, among other things, cause a program to execute code or trigger a crash.

 

8. Integer Overflow or Wraparound

The software performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

 

9. Cross-Site Request Forgery (CSRF)

This occurs when a program is unable to verify whether a user actually and deliberately submitted a request, even though the request is valid and consistent.

 

10. Path Traversal, AKA Improper Limitation of a Pathname to a Restricted Directory

This is another flaw related to failed or improper neutralization of special elements. It occurs when a program uses external input to construct a pathname with the goal of identifying a file or directory underneath a restricted parent directory, but fails to neutralize those elements within the pathname. This can lead to the pathname resolving to a location beyond the restricted directory.

 

11. OS Command Injection, AKA Improper Neutralization of Special Elements used in an OS Command

This is a virtual mirror of the similarly named SQL injection. Here, the software fails to neutralize parts of an OS command from an upstream component that could potentially modify the command when it is sent to a downstream component.

 

Several of the highest-ranked errors—about two-thirds of the list, in fact—are not new, but are long-standing problems. This is a reminder that some software security issues do not yield easily to solutions and require constant vigilance.

 

12. Out-of-bounds Write

Similar to an out-of-bounds read. When a buffer's limits are not respected and a program writes data before or beyond the buffer's boundaries, this constitutes and out-of-bounds write. This can lead to, among other things, corruption of data, and can crash a system.

 

13. Improper Authentication

The software that cannot prove the authenticity of someone interacting with the system, or cannot prove it sufficiently.

 

14. NULL Pointer Dereference

A system crash may be precipitated by this weakness. It involves a program dereferencing a NULL pointer that it expected would be valid.

 

15. Incorrect Permission Assignment for Critical Resource

This flaw can allow unauthorized users or other actors to read or change a resource whose permissions have not been properly defined.

 

16. Unrestricted Upload of File with Dangerous Type

Some software products allow the upload or transfer of files that may be dangerous, leaving the application vulnerable to attack.

 

17. Improper Restriction of XML External Entity Reference

This occurs in XML documents with XML entities that contain URIs resolving to other documents beyond the intended sphere of control. As a result, the software embeds faulty documents into its output.

 

18. Code Injection, AKA Improper Control of Generation of Code

Another injection flaw. Here, the software fails to neutralize parts of a code segment constructed from an upstream component that could potentially modify the segment.

 

19. Use of Hard-coded Credentials

When passwords or cryptographic keys are used by an application for inbound authentication, outbound communication to external components, or encryption of internal data, this can create a vulnerability.

 

20. Uncontrolled Resource Consumption

This flaw can leave an application open to external influences that may lead to resource exhaustion. It occurs when the software does not properly control the allocation and maintenance of the (limited) resource, making it possible for an external force to influence the use of the resource.

 

21. Missing Release of Resource after Effective Lifetime

When software does not release a resource once that resource is no longer needed, it can leave a system vulnerable to a DoS attack. The attack works by allocating resources but not triggering their release.

 

22. Untrusted Search Path

In this scenario, a search path supplied by an external source may look for resources that are not directly controlled by the software. This could allow an attacker to point the search path to a malicious program, access data files, etc.

 

23. Deserialization of Untrusted Data

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

 

24. Improper Privilege Management

When privileges are not properly managed, an external user may be able to influence or control the software in an unauthorized fashion. Privileges must be assigned, modified, tracked, and checked properly to avoid this.

 

25. Improper Certificate Validation

A malicious or invalid certificate can give attackers the opportunity to do things like spoof another, trusted entity. Software must validate certificates fully and correctly in order to avoid this.

 

If you or your team experience any software errors or unusual activity on your computers, reach out to CITI. We will ensure that your systems are secure and safe from cybersecurity threats. 

 

 

Learn about your IT security. Register for a free cybersecurity consultation.  Book Now Considering moving to the cloud? Find out if the cloud is right for your company.Book Now
Guide to Email Security from our Practice Safe Cyber Series Download Your Poster
Global Toronto and CreateTO City of Toronto Agencies Case Study
Learn about your IT security. Register for a free cybersecurity consultation.  Book Now
Guide to Ransomware Attacks in Canada
Considering moving to the cloud? Find out if the cloud is right for your company.Book Now
New IT Infrastructure Transforms Organization. KCI Ketchum Canada
Engage our services and get 10 hours free. It's easy to work with CITI. Become a client.Book Appointment

IT Insights from our Blog

Read more

We're here to help!

Moving to the Cloud
Cybersecurity

Is your management team asking about your IT security policies and practices? Are you worried about a cybersecurity breach? CITI’s comprehensive IT security services provide all the information your company needs to deal with current and future security situations and concerns. Learn about your IT security. Register for a free cybersecurity session.

Managed Services

There is another way to manage your IT that doesn’t require you call your IT firm. Managed IT services offer proactive care, support, monitoring and maintenance of your computer systems for a fixed monthly fee. Process-driven, less involvement, more predictable cost. Yes, Virginia, there is a way to keep your IT running smoothly that does not require you to make a call.

Pay-As-You-Go

Are you concerned about minimizing IT maintenance costs? Perhaps you’re techno savvy. Or maybe you only need an IT firm for complex IT situations. CITI can provide exactly the volume of IT services that you want and need from network troubleshooting to helping a user with a jammed printer. Our full range of services are available on a per incident basis.

Disaster Recovery

Is the stuff of your nightmares power outages? The only way to deal with a severe interruption to business operations is to plan for it. Beginning with a disaster recovery plan through implementing and maintaining failsafe, foolproof, rock-solid offsite backups, CITI has helped 100s of companies protect their most valuable asset—their data and systems.

IT Consulting

Uncertain if your company should move to the cloud? Do you have doubts about the best way to back up your data? Looking for ways to minimize your vulnerability to IT security breaches? Perhaps you’re looking for help with your annual IT budget. CITI’s IT advisory services help businesses make informed strategic and tactical decisions on information technology.

Call Us

416-603-2442