Isosceles (https://t.co/GMVcBoGsqR), prev: Google, Project Zero
May 19, 2020 • 22 tweets • 4 min read
This is a list of the most commonly exploited vulnerabilities between 2016 and 2019, from CISA and FBI. Unfortunately they didn't share their methodology, but let's take a closer look at the CVEs, because I think the list shows an interesting trend.
1) CVE-2017-11882 - A stack overflow in Equation Editor (EQNEDT32.EXE) that was accessible via Microsoft Office documents. Crucially, neither DEP or ASLR was enabled on this binary, meaning that the issue was trivially exploitable.