Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-25136PUBLISHED: 2023-02-03
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be triggered by an unauthenticated attacker in the default configuration; however, the vulnerability discoverer reports that "exploiting thi...
CVE-2023-25139PUBLISHED: 2023-02-03
sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with a correct buffer size. This is unrelated to CWE-676. It may write beyond the bounds of the destination buffer when attempting to write a padded, thousands-separated string representation of ...
CVE-2022-48074PUBLISHED: 2023-02-03An issue in NoMachine before v8.2.3 allows attackers to execute arbitrary commands via a crafted .nxs file.
CVE-2023-25135PUBLISHED: 2023-02-03
vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are...
CVE-2022-4634PUBLISHED: 2023-02-03All versions prior to Delta Electronic’s CNCSoft version 1.01.34 (running ScreenEditor versions 1.01.5 and prior) are vulnerable to a stack-based buffer overflow, which could allow an attacker to remotely execute arbitrary code.
User Rank: Ninja
6/13/2014 | 1:55:52 PM
Excellent point. But it begs the question: Who is responsible? See, for all those thousands of systems out there that make up the long tail, should it only be cyber criminals scanning the length of it until they find vulnerable systems? The obvious answer should be the IT staff who own the systems need to be doing that, too, but as history shows, they aren't all owning up to their responsibilities. So who?
I'd always imagined there would be an organization of white hatters who, with documented, iron-clad passports to hack from law enforcement and government agencies, would work day in and out doing exactly what the black hatters are doing except, once they find a vulnerable system, they immediately lock it down, or reach out to the owners and get them to do their job.
If that sounds like a superhero comic book more than reality, take account of the trillions of American dollars (and then add in every country on top of that subject to cyber criminal activities) lost to cyber crime and ask whether it isn't worth it to invest in a group like this that essentially mimics a cyber criminal crew up to the last action, then takes one more vulnerable system out of the equation.
The high tech industries have a responsibility to the average citizen to provide assurances like this, just as our government provides law enforcement and military, because high tech is where this threat comes from. Software giants have established an electronic frontier that is basically pushed upon the everyday person, whether they want it or not, yet takes little global responsibility over the security and restoration of those lives harmed through the necessity of high tech in today's society.
How about the next few million dollars invested in tech go to forming a team like this that can make a real nation-wide difference, not for profit, simply to give back to the millions of people hurt by an ecosystem they may not even have wanted in their lives. For me, someone that eats, breathes and dreams tech, I think that is the least we can do; when the power goes down, it's those people we'll need to be friends with, not silicon billionaires.