U.S. Government Disclosed 39 Zero-Day Vulnerabilities in 2023, First-Ever Report

221 点作者 jc_8113 个月前

16 条评论

nimbius3 个月前

I hope this signals a turning point and lessons learned from the historic practice of hoarding exploits in the hopes they can be weaponized.when you disclose vulnerabilities and exploits, you effectively take cannons off both sides of the metaphorical battle field. it actively makes society safer.

评论 #42963151 未加载

评论 #42963403 未加载

评论 #42965852 未加载

评论 #42964682 未加载

评论 #42963325 未加载

评论 #42963162 未加载

评论 #42963616 未加载

评论 #42965414 未加载

评论 #42963448 未加载

评论 #42963853 未加载

评论 #42963776 未加载

skirge3 个月前

Burning 0-days makes your enemies spend more time on finding new ones - costs rise so they will go bankrupt. Cold war 2.0. It's not enough to just run grep / memcpy finder on software like 20-15 years ago.

ikmckenz3 个月前

There is no such thing as a "Nobody But Us" vulnerability. Leaving holes in systems and praying enemies won't discover them, with the hope of attacking them ourselves is extremely foolish.

评论 #42965309 未加载

评论 #42967951 未加载

joshfraser3 个月前

I've seen the invite-only marketplaces where these exploits are sold. You can buy an exploit to compromise any piece of software or hardware that you can imagine. Many of them go for millions of dollars.There are known exploits to get root access to every phone or laptop in the world. But researchers won't disclose these to the manufacturers when they can make millions of dollars selling them to governments. Governments won't disclose them because they want to use them to spy on their citizens and foreign adversaries.The manufacturers prefer to fix these bugs, but aren't usually willing to pay as much as the nation states that are bidding. All they do is drive up the price. Worse, intelligence agencies like the NSA often pressure or incentivize major tech companies to keep zero-days unpatched for exploitation.It's a really hard problem. There are a bunch of perverse incentives that are putting us all at risk.

评论 #42965683 未加载

评论 #42965675 未加载

评论 #42966147 未加载

评论 #42965395 未加载

评论 #42965515 未加载

评论 #42965786 未加载

评论 #42965822 未加载

pentel-0_53 个月前

These are just the disclosed ones. The weaponized ones (as mentioned) found or bought kept secret by the NSA, etc. such as from Zerodium (ex-VUPEN) and similar aren't counted obviously. ;)

评论 #42965312 未加载

HypnoDrone3 个月前

So there was 39 vulnerabilities that affected government systems. The rest didn't so they had no need to disclose.

评论 #42963147 未加载

评论 #42964898 未加载

mattmaroon3 个月前

"What the government didn't reveal is how many zero days it discovered in 2023 that it kept to exploit rather than disclose. Whatever that number, it likely will increase under the Trump administration, which has vowed to ramp up government hacking operations."This is a bit of a prisoner's dilemma. The world would be better off if everyone disclosed every such exploit for obvious reasons. But if government A discloses everything and government B reserves them to exploit later, then government B has a strong advantage over government A.The only responses then are war, diplomacy, or we do it too and create yet another mutually assured destruction scenario.War is not going to happen because the cure would be worse than the disease. The major players are all nuclear powers. Diplomacy would be ideal if there were sufficient trust and buy-in, but it seems unlikely the U.S. and Russia could get there. And with nuclear treaties there's an easy verification method since nuclear weapons are big and hard to do on the sly. It'd be hard to come up with a sufficient verification regime here.So we're left with mutually assured cyber destruction. I'd prefer we weren't, but I don't see the alternative.

评论 #42966163 未加载

Veserv3 个月前

Disclosing zero-days so the vendor can patch them and declare "mission accomplished" is such a waste."Penetrate and Patch" is about as effective for software security as it is for bulletproof vests. If you randomly select 10 bulletproof vests for testing, shoot each 10 times and get 10 holes each, you do not patch those holes and call it good. What you learned from your verification process is that the process that lead to that bulletproof vest is incapable of consistently delivering products that meet the requirements. Only development process changes that result in passing new verification tests give any confidence of adequacy.Absent actively, or likely actively, exploited vulnerabilitys, the government should organize vulnerabilitys by "difficulty" and announce the presence of, but not disclose the precise nature of, vulnerabilitys and demand process improvement until vulnerabilitys of that "difficulty" are not longer present as indicated by fixing all "known, but undiclosed" vulnerabilitys of that "difficulty". Only that provides initial supporting evidence that the process has improved enough to categorically prevent vulnerabilitys of that "difficulty". Anything less is just papering over defective products on the government's dime.

评论 #42965787 未加载

评论 #42965745 未加载

staticelf3 个月前

I think people give the US a lot of unnecessary shit. I don't think my government releases any zero days but I am sure they must have found some. Every government today probably uses zero days but it seems very few release information about them?

评论 #42963321 未加载

评论 #42964182 未加载

egberts13 个月前

Simply because not enough anti-malware vendors are willing to let US government know that one of their favorite hoard of malware has lost "its edge".So, either they form a department of viability or they lose it all.

davemp3 个月前

While I don’t think we should be hoarding vulns, the idea of the government having huge budgets to find and disclose software defects is a bit strange to me. Seems like another instance of socializing bad externalities.

ggernov3 个月前

These are wins because if they're actually patched it takes offensive tools away from our adversaries.

maerF0x03 个月前

the US often gets negative takes for doing what many other nations are also doing.For example in 2018 Tencent (basically, China) withdrew from hacking competitions like pwn2own taking along with them the disclosures that proceeded.

评论 #42965697 未加载

评论 #42965930 未加载

josefritzishere3 个月前

I guess there wont be one in 2024

numbsafari3 个月前

NOBUS is a disaster. Knowingly leaving citizens unprotected is an absolute failure of government. Having a robust policy of identifying a resolving cybersecurity faults, and holding organizations accountable for patching and remediation is necessary if we are going to survive a real cyber “war”. We are absolutely unprepared.

评论 #42964455 未加载

评论 #42965331 未加载

评论 #42963695 未加载

评论 #42963182 未加载

afavour3 个月前

> What changed the calculus in 2023 isn’t clear.Well, the calculus didn't change in 2023 if the report was only released a month or so ago. And in fact, in May 2024:DHS, CISA Announce Membership Changes to the Cyber Safety Review Board <a href="https://www.dhs.gov/archive/news/2024/05/06/dhs-cisa-announce-membership-changes-cyber-safety-review-board" rel="nofollow">https://www.dhs.gov/archive/news/2024/05/06/dhs-cisa-announc...</a>So some new people came in and decided that more public information was better.> On January 21, 2025, it was reported that the Trump administration fired all members of the CSRB.Ah, well, never mind then

评论 #42963945 未加载

评论 #42964196 未加载

评论 #42963433 未加载