Security News > 2021 > February > On Vulnerability-Adjacent Vulnerabilities

In September 2019, another similar vulnerability was found being exploited by the same hacking group.

More discoveries in November 2019, January 2020, and April 2020 added up to at least five zero-day vulnerabilities being exploited from the same bug class in short order.

Microsoft issued multiple security updates: some failed to actually fix the vulnerability being targeted, while others required only slight changes that required just a line or two to change in the hacker's code to make the exploit work again.

Why aren't they being fixed? Most of the security teams working at software companies have limited time and resources, she suggests - and if their priorities and incentives are flawed, they only check that they've fixed the very specific vulnerability in front of them instead of addressing the bigger problems at the root of many vulnerabilities.

We need to make it harder for attackers to find new vulnerabilities to exploit.

Closing entire families of vulnerabilities, rather than individual vulnerabilities one at a time, is a good way to do that.

News URL

https://www.schneier.com/blog/archives/2021/02/on-vulnerability-adjacent-vulnerabilities.html