Vulnerabilities exist in all software, including malware. The act of writing malware doesn't mean the programmer magically creates code that doesn't have vulnerabilities. It just means that the programmer is looking to possibly exploit vulnerabilities by creating their own code, which may also contain vulnerabilities.

The malvuln project takes malware and looks for vulnerabilities in the software. I thought I'd take their work and compare it to another set of data from the general software vulnerabilities in 2021. Of course, this comparison doesn’t represent all the malware available, just like the general software vulnerabilities found in the Common Vulnerabilities and Exposures (CVE) data aren't from all the software available. However, they are subsets we can analyze.

I decided to look at the type of vulnerabilities found in each set of data. That means for the vulnerabilities of 2021, I'm looking at the CVEs issued in 2021 and considering the Common Weakness Enumeration (CWE) for each one. For the malvuln data, each report has a line that identifies the kind of vulnerability found. There isn't an exact match-up between the two sets, but I can infer similarities based on the descriptions.

I started collecting the data at the beginning of January 2021, and I downloaded new files every day from the malvuln data set. There are 226 advisories in my collection, and the types of malware include Backdoors, Trojans, Worms, Constructor, Viruses, and other malicious software. After processing the reports, I discovered that the most common vulnerability in this set is Insecure Permissions, with 87 instances out of the 226 reports or 38.5%. The next four most common vulnerabilities are Remote Stack Buffer Overflow, Missing Authentication, Unauthenticated Remote Command Execution, and Remote Denial of Service.

Turning to the CVE data from the National Vulnerability Database (NVD), so far, the top CWE for 2021 is CWE-80 (Cross-Site Scripting). It makes sense that this vulnerability is not as common for malware since most of these are Win32 binaries and not web programs. However, the third and fourth most common CWEs for 2021 are related to Insecure Permissions. They are CWE-269 (Improper Privilege Management) and CWE-863 (Incorrect Authorization).

All programmers—whether or not they write malware—have similar issues with permissions. Does that give us an edge in fighting malware? Only research can answer that question. Can we take advantage of their mistakes as they do ours? Only time will tell.