Conversation
Edited 11 months ago
What are typical #vulnerability types of 90s/early 2000s that are now more or less irrelevant/rare?

(I'm less interested in easy to exploit memory corruptions, more in "logical" bugs)
12
6
4
@freddy Yeah, I also have the impression that direct code/command injections (not counting deserialization) are less common these days, thanks!
1
0
0
Thinking out loud:
- Permanent pre-auth DoS in network services (yeah I know this is usually memory corruption)
- SQL injection (???)
2
0
0
@swapgs @freddy Were those common in any time period? o.O
2
0
0
@swapgs @raptor There have been multiple shifts of focus that shaped our perception for sure. I find userland LPEs on Windows still plenty and important though. Also I'm more interested in bug types than impacts (slightly contradicting my other reply about DoS).
1
0
1
@skyr If you mean self-replication then absolutely! Macros are still going strong AFAICT (default blocking will change that ofc).

It's also interesting how the exposure to trojans (iloveyou.txt.vbs et al.) have been reduced (MOTW, perimteter filtering, ???).
0
0
1
Can we say that filesystem path traversals are replaced with URL path traversals (Orange Tsai, Exchange shitshow ...)?
1
0
0
@joern I have no doubts about that, but I don't think they are as easy to come by as in the early days of PHP for example.
1
0
0
@hdm I'm also interested in bug classes becoming less prevalent (not extinct). IME SQLi's are definitely out there, but rarer than before.
1
0
1
@joern It's interesting to approach the problem from the other direction: $technology causing spikes in specific vulnerability classes 🤔
0
0
1
@xnyhps Yes! More generally: my remote interfaces are files (CGI, PHP, JSP, ...).
0
0
1
@hdm @joern I'd put serialization on that list
0
0
1