Skip to content
By using Twitter’s services you agree to our Cookies Use. We and our partners operate globally and use cookies, including for analytics, personalisation, and ads.

This is the legacy version of twitter.com. We will be shutting it down on June 1, 2020. Please switch to a supported browser, or disable the extension which masks your browser. You can see a list of supported browsers in our Help Center.

  • Home Home Home, current page.
  • About

Saved searches

  • Remove
  • In this conversation
    Verified accountProtected Tweets @
Suggested users
  • Verified accountProtected Tweets @
  • Verified accountProtected Tweets @
  • Language: English
    • Bahasa Indonesia
    • Bahasa Melayu
    • Català
    • Čeština
    • Dansk
    • Deutsch
    • English UK
    • Español
    • Filipino
    • Français
    • Hrvatski
    • Italiano
    • Magyar
    • Nederlands
    • Norsk
    • Polski
    • Português
    • Română
    • Slovenčina
    • Suomi
    • Svenska
    • Tiếng Việt
    • Türkçe
    • Ελληνικά
    • Български език
    • Русский
    • Српски
    • Українська мова
    • עִבְרִית
    • العربية
    • فارسی
    • मराठी
    • हिन्दी
    • বাংলা
    • ગુજરાતી
    • தமிழ்
    • ಕನ್ನಡ
    • ภาษาไทย
    • 한국어
    • 日本語
    • 简体中文
    • 繁體中文
  • Have an account? Log in
    Have an account?
    · Forgot password?

    New to Twitter?
    Sign up
benhawkes's profile
Ben Hawkes
Ben Hawkes
Ben Hawkes
@benhawkes

Tweets

Ben Hawkes

@benhawkes

Project Zero team lead

Joined August 2008

Tweets

  • © 2020 Twitter
  • About
  • Help Center
  • Terms
  • Privacy policy
  • Imprint
  • Cookies
  • Ads info
Dismiss
Previous
Next

Go to a person's profile

Saved searches

  • Remove
  • In this conversation
    Verified accountProtected Tweets @
Suggested users
  • Verified accountProtected Tweets @
  • Verified accountProtected Tweets @

Promote this Tweet

Block

  • Tweet with a location

    You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more

    Your lists

    Create a new list


    Under 100 characters, optional

    Privacy

    Copy link to Tweet

    Embed this Tweet

    Embed this Video

    Add this Tweet to your website by copying the code below. Learn more

    Add this video to your website by copying the code below. Learn more

    Hmm, there was a problem reaching the server.

    By embedding Twitter content in your website or app, you are agreeing to the Twitter Developer Agreement and Developer Policy.

    Preview

    Why you're seeing this ad

    Log in to Twitter

    · Forgot password?
    Don't have an account? Sign up »

    Sign up for Twitter

    Not on Twitter? Sign up, tune into the things you care about, and get updates as they happen.

    Sign up
    Have an account? Log in »

    Two-way (sending and receiving) short codes:

    Country Code For customers of
    United States 40404 (any)
    Canada 21212 (any)
    United Kingdom 86444 Vodafone, Orange, 3, O2
    Brazil 40404 Nextel, TIM
    Haiti 40404 Digicel, Voila
    Ireland 51210 Vodafone, O2
    India 53000 Bharti Airtel, Videocon, Reliance
    Indonesia 89887 AXIS, 3, Telkomsel, Indosat, XL Axiata
    Italy 4880804 Wind
    3424486444 Vodafone
    » See SMS short codes for other countries

    Confirmation

     

    Welcome home!

    This timeline is where you’ll spend most of your time, getting instant updates about what matters to you.

    Tweets not working for you?

    Hover over the profile pic and click the Following button to unfollow any account.

    Say a lot with a little

    When you see a Tweet you love, tap the heart — it lets the person who wrote it know you shared the love.

    Spread the word

    The fastest way to share someone else’s Tweet with your followers is with a Retweet. Tap the icon to send it instantly.

    Join the conversation

    Add your thoughts about any Tweet with a Reply. Find a topic you’re passionate about, and jump right in.

    Learn the latest

    Get instant insight into what people are talking about now.

    Get more of what you love

    Follow more accounts to get instant updates about topics you care about.

    Find what's happening

    See the latest conversations about any topic instantly.

    Never miss a Moment

    Catch up instantly on the best stories happening as they unfold.

    Ben Hawkes‏ @benhawkes May 19
    • Report Tweet
    • Report NetzDG Violation

    Ben Hawkes Retweeted US-CERT

    This is a list of the most commonly exploited vulnerabilities between 2016 and 2019, from CISA and FBI. Unfortunately they didn't share their methodology, but let's take a closer look at the CVEs, because I think the list shows an interesting trend.https://twitter.com/USCERT_gov/status/1260259518862286849 …

    Ben Hawkes added,

    US-CERTVerified account @USCERT_gov
    Check out @CISAgov and @FBI's Alert on the Top 10 CVEs routinely exploited by foreign cyber actors. Patch ASAP to reduce your risk. https://go.usa.gov/xvHfp  #Cyber #Cybersecurity #InfoSec
    9:03 AM - 19 May 2020
    • 344 Retweets
    • 631 Likes
    • Mina Mohsen Megan Gates uadm Marc Silvia Kevin Montalto Marian Häntsch Josh Zelonis Sean Lyngaas Matt Parks
    8 replies 344 retweets 631 likes
      1. New conversation
      2. Ben Hawkes‏ @benhawkes May 19
        • Report Tweet
        • Report NetzDG Violation

        1) CVE-2017-11882 - A stack overflow in Equation Editor (EQNEDT32.EXE) that was accessible via Microsoft Office documents. Crucially, neither DEP or ASLR was enabled on this binary, meaning that the issue was trivially exploitable.

        3 replies 4 retweets 39 likes
        Show this thread
      3. Ben Hawkes‏ @benhawkes May 19
        • Report Tweet
        • Report NetzDG Violation

        2) CVE-2017-0199 - Logic/design flaw in embedded HTA documents, exploited via Microsoft Office documents. This issue was originally exploited as a 0day by FINSPY and LATENTBOT.

        1 reply 3 retweets 28 likes
        Show this thread
      4. Ben Hawkes‏ @benhawkes May 19
        • Report Tweet
        • Report NetzDG Violation

        3) CVE-2017-5638 - Parsing bug in Apache Struts 2. Attackers could use Object Graph Navigation Language (OGNL) to execute arbitrary commands on the target host, e.g. this issue is trivially exploitable. Here's a snippet of the payload: ".(#cmd='whoami')."

        1 reply 5 retweets 28 likes
        Show this thread
      5. Ben Hawkes‏ @benhawkes May 19
        • Report Tweet
        • Report NetzDG Violation

        4) CVE-2012-0158 - Buffer overflow vulnerability in MSCOMCTL.OCX that was typically exploited via Microsoft Office documents. This issue was originally exploited as a 0day (e.g. "Microsoft is aware of limited, targeted attacks attempting to exploit the vulnerability.).

        1 reply 3 retweets 20 likes
        Show this thread
      6. Ben Hawkes‏ @benhawkes May 19
        • Report Tweet
        • Report NetzDG Violation

        5) CVE-2019-0604 - Parsing bug in Microsoft SharePoint. SharePoint would deserialize XML such that attackers could control the type of the deserialized object. This issue is trivially exploitable once you know which object to instantiate to achieve remote code execution.

        1 reply 3 retweets 22 likes
        Show this thread
      7. Ben Hawkes‏ @benhawkes May 19
        • Report Tweet
        • Report NetzDG Violation

        6) CVE-2017-0143 - This is a type confusion vulnerability in Microsoft Windows' SMB implementation, also known as EternalSynergy. This issue was originally exploited as a 0day (we can reliably infer this given the context of the disclosure).

        1 reply 3 retweets 22 likes
        Show this thread
      8. Ben Hawkes‏ @benhawkes May 19
        • Report Tweet
        • Report NetzDG Violation

        7) CVE-2018-4878 - Use-after-free in Adobe Flash's MediaPlayer DRM Listener. This issue was originally exploited as a 0day by ScarCruft/APT37/Reaper. This issue was commonly exploited via Office documents (remember that Flash became sandboxed in Chrome in late 2016).

        1 reply 4 retweets 22 likes
        Show this thread
      9. Ben Hawkes‏ @benhawkes May 19
        • Report Tweet
        • Report NetzDG Violation

        8) CVE-2017-8759 - Code injection vulnerability in Microsoft's SOAP WSDL parser. Again, the preferred delivery mechanism was through Microsoft Office documents. This issue was originally exploited as a 0day by BlackOasis.

        1 reply 2 retweets 19 likes
        Show this thread
      10. Ben Hawkes‏ @benhawkes May 19
        • Report Tweet
        • Report NetzDG Violation

        9) CVE-2015-1641 - Type confusion in Microsoft Office's parsing of SmartTag elements. This issue was originally exploited as a 0day, but we don't have any attribution data available. For ASLR, the exploit used the fact that MSVCR71.DLL was loaded at a fixed address in Windows 7.

        2 replies 3 retweets 19 likes
        Show this thread
      11. Ben Hawkes‏ @benhawkes May 19
        • Report Tweet
        • Report NetzDG Violation

        10) CVE-2018-7600 - This was a remote code execution vulnerability in Drupal, also known as Drupalgeddon. Attacker-controlled content could be evaluated as PHP. This issue was trivially exploitable, since attackers could call PHP's exec function with arbitrary parameters.

        1 reply 1 retweet 21 likes
        Show this thread
      12. Ben Hawkes‏ @benhawkes May 19
        • Report Tweet
        • Report NetzDG Violation

        Out of the ten CVEs listed, six were originally exploited as 0day, and four were trivially exploitable (three logic bugs, and one target with no DEP/ASLR). What does this tell us?

        3 replies 6 retweets 42 likes
        Show this thread
      13. Ben Hawkes‏ @benhawkes May 19
        • Report Tweet
        • Report NetzDG Violation

        Opportunistic attackers are either waiting for bugs that require no additional R&D (design flaws, logic bugs, other easily exploitable conditions), or waiting for fully developed and reliable exploits to become available (typically when a 0day is leaked or detected).

        1 reply 10 retweets 55 likes
        Show this thread
      14. Ben Hawkes‏ @benhawkes May 19
        • Report Tweet
        • Report NetzDG Violation

        Importantly, attackers aren't using publicly disclosed security research in the same way that they used to, except when a bug is extraordinarily trivial to exploit. And the chances that we can stop attackers from learning about those bugs through patch analysis is very low.

        3 replies 11 retweets 49 likes
        Show this thread
      15. Ben Hawkes‏ @benhawkes May 19
        • Report Tweet
        • Report NetzDG Violation

        Even if all security researchers globally stopped publishing technical data on their discoveries, and also agreed never to publish patch analysis or binary diffing results, attackers would still have a plentiful supply of exploits that were originally detected as 0day.

        1 reply 13 retweets 53 likes
        Show this thread
      16. Ben Hawkes‏ @benhawkes May 19
        • Report Tweet
        • Report NetzDG Violation

        I'd quickly note that Project Zero has disclosed technical details for over 1700 bugs, and none of our issues are in the top 10. On the flip side, there is a huge defensive benefit from sharing data about how different attacks work and how to build structural defenses for them.

        2 replies 7 retweets 66 likes
        Show this thread
      17. Ben Hawkes‏ @benhawkes May 19
        • Report Tweet
        • Report NetzDG Violation

        A lot of vendors have asked us to redact technical details from our bug reports at various points. I understand where this comes from -- fear of the unknown, fear that their users will be harmed, and fear of bad press for their product. Let's not make decisions based on fear.

        1 reply 7 retweets 43 likes
        Show this thread
      18. Ben Hawkes‏ @benhawkes May 19
        • Report Tweet
        • Report NetzDG Violation

        Observable user harm is disproportionately coming from the fallout of 0day exploits being leaked/detected, and from a handful of trivially exploitable bugs. It's not coming from security researchers disclosing messaging app bugs, browser exploits, or kernel priv-escs.

        1 reply 10 retweets 47 likes
        Show this thread
      19. Ben Hawkes‏ @benhawkes May 19
        • Report Tweet
        • Report NetzDG Violation

        These disclosures still have an important purpose: raising awareness about the capabilities of 0day exploits, teaching the next generation of researchers, driving change at vendors/OSS projects, motivating follow-up research/investment, etc.

        1 reply 3 retweets 35 likes
        Show this thread
      20. Ben Hawkes‏ @benhawkes May 19
        • Report Tweet
        • Report NetzDG Violation

        But it's very rare that a vulnerability disclosure meaningfully increases attacker capability, relative to their existing capability. And compared to silent fixes or non-disclosure, the net result of vulnerability disclosure is overwhelmingly better for defensive outcomes.

        1 reply 14 retweets 47 likes
        Show this thread
      21. Ben Hawkes‏ @benhawkes May 19
        • Report Tweet
        • Report NetzDG Violation

        So on the sweeping claims of irresponsible disclosure, emotion-driven policy making, assumptions of bad faith. Let's talk about models, data, and forecasting instead. I think we can make some very good predictions about which CVEs are likely to cause significant user harm.

        2 replies 6 retweets 34 likes
        Show this thread
      22. Ben Hawkes‏ @benhawkes May 19
        • Report Tweet
        • Report NetzDG Violation

        Finally, let's redirect some of that energy towards the attackers who develop and deploy (often recklessly deploy) 0day exploits, which leads to many years of unintended fallout and expensive cleanups after their exploits are leaked or discovered. The damage is enormous. [END]

        3 replies 6 retweets 51 likes
        Show this thread
      23. End of conversation

    Loading seems to be taking a while.

    Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

      Promoted Tweet

      false

      • © 2020 Twitter
      • About
      • Help Center
      • Terms
      • Privacy policy
      • Imprint
      • Cookies
      • Ads info