The 2025 most dangerous software exploits list

 Dad (who was a history professor) liked to say that History repeats itself because nobody listens the first time.  I get an incredible sense of deja vu all over again looking at Mitre's list of top 25 exploits for 2025.

The top 4 are all very, very old.  I myself demonstrated #4 when I taught a computer security class (with corporate IT Security present) back in 1994.  That's three decades ago.

And what's with numbers 11 and 14?  One of the classic papers on software security is Smashing The Stack For Fun And Profit - from 1996.

Numbers 3, 6, and 22 are web server vulnerabilities that are over 20 years old, and I've posted about them before. 

17, 19, and 21 have been known since before I was in this industry.  Call it the 1980s, although it's likely older.

I guess it's nice to see a shout-out to DoS (number 25) although geez, this is depressing.

So that's half the list having been known for literally multiple decades. So what gives?

I blame Agile Software Development.   I guess I'm the cranky old guy yelling at the sky here, because this is how all software is developed these days.  Product Managers (my old field) are to blame here, having spent the last 20 or 30 years pushing Go Ugly Early - get working product shipping as soon as possible and let customers tell you how to improve it.  Essentially, a lot of what you would have the developers spend their time fixing are things that customers just don't care about.

This has led to a pushback of sorts from software professionals, particularly the Software Craftsmanship movement.  Their manifesto is interesting:

As aspiring Software Craftsmen we are raising the bar of professional software development by practicing it and helping others learn the craft. Through this work we have come to value:

• Not only working software, but also well-crafted software
• Not only responding to change, but also steadily adding value
• Not only individuals and interactions, but also a community of professionals
• Not only customer collaboration, but also productive partnerships

So what's missing from this?  How about don't keep making the same dumb security mistakes that people have been making for decades?

And what do Product Managers miss in their rush to go ugly early? How about don't keep making the same dumb security mistakes that people have been making for decades?

And so here we are.  The IT infrastructure of the 21st Century has been constructed out of moonbeams and cotton candy.

I don't see anything changing here, as the incentive structures are all stacked against good security. 

Face Vocal Band - The Parting Glass

Adieu, 2025.  This is a fine, traditional song for departing guests.

Here's wishing you a very happy 2026.

2025 Blog stats

This was the best year ever for traffic here: 4.5M page views.  This brings the all-time total to 19.5M.  There's quite a market for free Internet blather.

And this year's over 1000 comments from you is (I think) also a record.  Many thanks to everyone who keeps coming by and especially for commenters.

Top referrers:

1. Knuckledraggin My Life Away (thanks, Wirecutter!)
2.  The Feral Irishman (thanks, blog brother!) 
3.  Raconteur Report (thanks, Aesop!)
4.  Normal American (I hope you haven't hung up your blogging shoes)
5.  Busted Knuckles (thanks, CederQ!)
6. The Silicon Graybeard (thanks, buddy!) 

If anyone cares, here is a list of the top posts for traffic.  It's interesting that most are pretty old:

1. I Am TJIC (after 14 years this still gets a ton of traffic)
2. I Confess, I'm Not Opposed To Gun Control (this was fun to write)
3. This Blog Belches Carbon (from all the way back in 2010) 
4. A Layman's Guide to the Science of Global Warming (needs updating)
5. Dad Joke CCCLVIIII (I have no idea why this got so much traffic)
6. Dad Joke CCCLXII (Tuna is doing most of my Dad Joke blogging)
7. Should You Be A Global Warming Skeptic? (from 2009 but superseded by the Layman's Guide post, above)
8. Aaaaarrrrrrgh, Matey! Don't be shiverin' me timbers! (A blog meet from 2009)
9. Google Play Store filled with malware (a post from 2025!)
10. This.  1000x this. (another post from 2025!  Go figure ...)

So a lot of old posts still drawing traffic.  It's gratifying to read them and see how well they've held up.

So goodbye to 2025 blogging.  On to 2026! 

Glen Campbell plays bagpipes on "Mull of Kintyre"

Who knew? 

Free Open Source3 software without Linux

For years I've touted (and recommended) Linux, the Free Open Source Software (FOSS) that is the heart of Internet servers, Internet routing nodes, and Android.  I have a lot of experience with Linux, having run it since kernel version 0.99 back in 1994 or so.  Slackware on 25 pounds of 3.5" floppy disks FTW.

One question that comes up regularly is what non-technical people can do.  While Linux has become a lot easier to install and run, there are still the occasional weirdnesses that some up, link the Brave Browser's refusal to print to anything other than PDF.  This means that if you live in a Linux world, you regularly have to come figure out workarounds.

And thus, the questions.  It's pretty easy for someone like me with 30 years of Linux experience* (good Lord, can it really be that long???), but for everyday folks who don't dig kernel versions and package dependencies, it's a daunting prospect.

As it turns out, there is a ton of high quality FOSS software for Windows and Mac users, and as your current computer ages and falls out of support, these can be a great way to extend the life of your computer.

I highly recommend this article from The Register on where to find high quality, non-malware FOSS packages.  It's very long and information-rich, so if you have an aging computer and you really don't want to load Linux on it, it's worth 10 minutes of your time.

Strongly recommended for normal computer users. Techie users will stay with sudo apt-get install foo but that just sort of proves my point.

About the only thing you won't get for your old Windows or Mac computer are security updates once the OS is end of life.  That's a big issue these days, and while it is possible to lock down a (say) old Windows OS to minimize your risk, it probably takes more tech savvy that installing Linux.  But if you are still getting security patches, FOSS can help you adapt to your apps demanding you upgrade the OS.  

* Interestingly, each year for the last 20 years has been "This is the year of Linux", and it really hasn't because the workarounds haven't ever gone away.  I'd argue that the only place where Linux is truly easy to use is Android, because Google invested a ton of money smoothing it out.

JS BACH - Jesu, Joy of Man's Desiring

Merry Christmas, everybody.

 

Luciano Pavarotti and Placido Domingo - O Holy Night

The Christmas Truce, World War II version

I had never heard this story, but it's true.  US and German soldiers lost in the Battle Of The Bulge had Christmas dinner together rather than killing each other, all due to a good German Hausfrau who had had enough of war on Christmas.  You have to jump ahead to around 6:30 for the story - before that, it's mincemeat pie recipe from the WWII US Army Field Cookbook (which also seems pretty interesting). 

And while it's not (quite) Christmas yet, Hans Gruber is fixin' to fall off of Nakatomi Plaza.

All I want for Christmas

James emails this bit of awesome:

 

Dad Joke CCCLXV

What do you call someone who is afraid of Santa Claus?

A Klaus-trophobe. 

Georg Frederick Handel - Hallelujah Chorus from The Messiah

With a Flash Mob at Macy's, and accompanied by the Wanamaker organ - the World's largest pipe organ.