Ben Hawkes Profile picture
Isosceles (https://t.co/GMVcBoGsqR), prev: Google, Project Zero
May 19, 2020 22 tweets 4 min read
This is a list of the most commonly exploited vulnerabilities between 2016 and 2019, from CISA and FBI. Unfortunately they didn't share their methodology, but let's take a closer look at the CVEs, because I think the list shows an interesting trend. 1) CVE-2017-11882 - A stack overflow in Equation Editor (EQNEDT32.EXE) that was accessible via Microsoft Office documents. Crucially, neither DEP or ASLR was enabled on this binary, meaning that the issue was trivially exploitable.