The latest security vulnerability discovered by researchers at Trend Micro and Kaspersky Lab could be used to compromise a wide variety of devices, from mobile devices to connected computers to routers, mobile phones, and other devices.
The new paper, published today in the Journal of the Association for the Advancement of Science, focuses on the vulnerabilities CVE-2014-2371 and CVE-2015-1822.
The authors note that while both the vulnerabilities have been publicly disclosed and have been patched, there is still much work to be done before any devices can be used in a real attack.
“While there are several known issues with the implementations, the lack of proper documentation, and the lack or lack of understanding of the vulnerabilities can make the problem difficult to debug,” the authors wrote.
“The lack of documentation is compounded by the difficulty in identifying which devices are vulnerable and how they can be exploited.”
For example, the authors say that the most commonly exploited vulnerabilities appear to be “self-explanatory.”
“While the exploit attempts to trigger a kernel-mode stack overflow, it is possible to bypass this mitigation by bypassing the stack unwinding mechanism and executing arbitrary code on the stack,” they write.
“Although it is not trivial, the attackers have successfully bypassed this mitigation.”
The researchers also found that the attackers could potentially bypass a hardware-level mitigations for the same issue by exploiting a kernel stack overflow.
“We did find a vulnerability in a specific implementation of [CVE-2015) 1822, but it was not exploitable by a simple kernel stack overwriting,” the researchers write.
“The exploitation of this vulnerability would require additional work and would likely require additional hardware.”
The authors also write that the authors “did not find a specific mitigation for this issue.”
The report comes at a time when researchers and vendors are scrambling to fix many of the flaws reported in the wake of the release of the Windows 8 operating system.
The researchers say that “many of the more advanced flaws in [CVE] 2016-2471 were found in prior versions of Windows.”
“We have identified and mitigated several of the most common issues related to CVE-2019-2442, CVE-2018-6015, CVE to CVE, CVE 2017-1205, CVE 2018-3186, CVE 2016-2298, and CVE 2016, as well as CVE 2018,” the report states.
“In the past few years, we have discovered some more interesting vulnerabilities that are not directly related to these issues, such as CVE-2012-1701, CVE 2009-1518, CVE 2010-2158, CVE 2012-1158, CVE 2015-1731, CVE 2020-4161, CVE 2021-2137, CVE 2022-2134, CVE 2023-5151, CVE 2024-4136, CVE 2030-843, CVE 2025-4131, CVE 2050-1235, CVE 2170-1706, CVE 2110-2143, CVE 2511-1619, CVE 3145-1812, CVE 3500-1610, CVE 4151-1821, CVE 5035-1916, CVE 5150-1918, and more.”