Slide Show: The Vulnerability 'Usual Suspects' Of 2012
Here's the list of applications, companies, and targets that dominated vulnerability and exploit headlines in 2012
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltc94608acf452fd67/655cf371ab171e040a838b2a/329050_DR23_Graphics_Website_V5_Default_Image_v1.png?width=700&auto=webp&quality=80&disable=upscale)
According to Kaspersky Lab Securelist, Adobe Acrobat Reader was only behind Java in the list of applications with the most targeted vulnerabilities last quarter. Attacks against the PDF program made up 25 percent of all Web exploits. Creativity is rewarded in attacks against PDFs. For example, at the BSides conference this year, one researcher demonstrated how SQL injection attacks could be made against websites serving PDFs that could offer up a number of nasty malformed versions of legitimate-seeming documents.
In third quarter of this year, Java vulnerabilities were targeted in more than half of all attacks. With a bountiful crop of Java zero-day attacks and generally poor Java patching practices rampant at most organizations, it's no wonder that hackers made hay with this application.
The big flap last month over the U.S. government warning companies to avoid buying hardware from Huawei and ZTE for fear of exploitable backdoors is just one example of how hardware vulnerabilities made it into the limelight this year. But that wasn't all. For example, in July, Cisco announced serious vulnerabilities in its TelePresence kit that put users at serious risk. And at Black Hat, one researcher showed how SQL injection could be used to root Netgear routers.
The last Oracle CPU of the year featured a Core RDBMS fix for a vulnerability with a CVSS base score of 10.0. That's fitting in a year where Oracle had been beaten up by critics for failing to address serious database vulnerabilities that put some of the most sensitive enterprise data stores at risk for attack.
Last year, Adobe Flash made news for the 40-fold increase in exploits against it. Attackers just kept hammering Flash this year, with the application a key target within the BlackHole exploit kit and several Flash zero-day attacks sending IT admins scurrying throughout 2012. Adobe is getting serious about closing these holes, though--last week it announced it would release Flash Player updates on Microsoft's Patch Tuesday schedule, while at the same time updating seven critical vulnerabilities in the application.
Most security experts are giving Microsoft credit for making IE much more secure these days, but the browser is still a very common target for attackers, and will especially be so following this week's Patch Tuesday release that fixes a "highly exploitable" drive-by-download vulnerability in IE 9, one which Qualys experts warned was the most important patch to take care of this month.
Attackers continued to rely on bread-and-butter exploits against Microsoft Word this year, because they just keep working, researchers with Trend Micro reported back in April.
"Targeted attacks that are part of APT campaigns commonly use exploit documents in their social engineering ploy. These exploit documents serve as unassuming carriers of the attacker's payload malware into the target's computer," wrote Ryan Flores, senior threat researcher with Trend.
Word documents have been most popular among those exploit document types, making up just over 63 percent of the most exploited Microsoft software in 2012.
This year has seen Apple fixing a number of critical vulnerabilities within its QuickTime media player. In fact, according to Kaspersky, QuickTime ranks among the top 10 most vulnerable programs in third quarter of 2012. It's also one of the apps most likely to be forgotten during patch cycles, experts warn.
Attacks against Android mobile devices continue to trend upward, with researchers with Trend Micro showing 175,000 different malicious and suspicious application packages targeting Android platforms by the end of third quarter. Meanwhile, researchers with F-Secure reported a tenfold increase in Android mobile malware between second and third quarter.
Ask most security experts out there about the most effective vulnerability to target on the Web and they'll inevitably answer, "SQL injection." Organizations like the state of South Carolina and Adobe are just the tip of the iceberg when it comes to victims of SQLi attacks against internal apps in 2012+. It is no surprise, considering results from a Veracode study this year that showed that 84 percent of Web applications from public companies failed to pass initial testing against OWASP Top 10 vulnerabilities parameters. And hackers know it--they're using automated tools like Havij to make the most of these vulnerabilities.
Ask most security experts out there about the most effective vulnerability to target on the Web and they'll inevitably answer, "SQL injection." Organizations like the state of South Carolina and Adobe are just the tip of the iceberg when it comes to victims of SQLi attacks against internal apps in 2012+. It is no surprise, considering results from a Veracode study this year that showed that 84 percent of Web applications from public companies failed to pass initial testing against OWASP Top 10 vulnerabilities parameters. And hackers know it--they're using automated tools like Havij to make the most of these vulnerabilities.
Ask most security experts out there about the most effective vulnerability to target on the Web and they'll inevitably answer, "SQL injection." Organizations like the state of South Carolina and Adobe are just the tip of the iceberg when it comes to victims of SQLi attacks against internal apps in 2012+. It is no surprise, considering results from a Veracode study this year that showed that 84 percent of Web applications from public companies failed to pass initial testing against OWASP Top 10 vulnerabilities parameters. And hackers know it--they're using automated tools like Havij to make the most of these vulnerabilities.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024