Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-2286PUBLISHED: 2022-07-02Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
CVE-2022-2285PUBLISHED: 2022-07-02Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.
CVE-2022-2284PUBLISHED: 2022-07-02Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.
CVE-2022-33014PUBLISHED: 2022-07-02** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2022-33015PUBLISHED: 2022-07-02** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
User Rank: Apprentice
3/3/2016 | 8:22:58 AM
This bug was in an extraneous feature, I don't want an AV that runs its own webserver on my host. Our advice is choose an AV that doesn't do silly stuff like that. So lets assume we can disable all those extra features, now we're left with this big chunk of C/C++ that tries to parse every file type you've never heard of that regulation says we have to keep on our hosts. Ok, if I can't get rid of it I can at least make attacking it more expensive for common bug types in C/C++ with Microsoft's EMET. Though as we've seen recently thanks to FireEye there are ways around that for dedicated attackers but attackers have to spend a lot of time to find those. How do we then deal with an attacker who is willing to do that leg work? We monitor our hosts for surprising new binaries/DLLs as attackers typically want some type of persistence.
In following that advice we have: reduced our attack surface by turning off AV features we don't need, increased the cost to attackers to attack us via bugs in the core part of the AV engine, and increased the odds that if we are successfully compromised we'll know about it. That's pretty reasonable substantive advice for how to deal with vulnerabilities in your defensive tool chain. I hope that readers don't come away with the impression that all security software is bad, I hope they come away with the idea that NO complex software is without vulnerabilities and they need to plan accordingly.