Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

06:50 PM
Connect Directly

8 of the 10 Most Exploited Bugs Last Year Involved Microsoft Products

Six of them were the same as from the previous year, according to new Recorded Future analysis.

For the third year in a row, cybercriminals employed vulnerabilities in Microsoft products far more so than security flaws in any other technology, new data for 2019 shows.

Eight out of the 10 most exploited vulnerabilities in 2019 in fact impacted Microsoft products. The other two—including the most exploited flaw—involved Adobe Flash Player, the previous top attacker favorite, according to analysis by Recorded Future.

Like it has done for past several years, Recorded Future analyzed data gathered from vulnerability databases and other sources to try and identify the vulnerabilities that were most used in phishing attacks, exploit kits, and remote access Trojans.  

The threat intelligence firm considered data on some 12,000 vulnerabilities that were reported and rated through the Common Vulnerabilities and Exposure (CVE) system last year. Vulnerabilities related to nation-state exploits were specifically excluded from the list because such flaws are not typically offered for sale or even mentioned much on underground forums, according to Recorded Future.

The 2019 analysis showed a continued—and unsurprising—preference among cybercriminals for flaws impacting Microsoft software.

The most exploited vulnerability in 2019 itself was CVE-2018-15982, a so-called use-after-free issue impacting Adobe Flash Player and earlier, and and earlier. Exploits for the remote code execution flaw was distributed widely through at least ten exploits kits including RIG, Grandsoft, UnderMiner, and two newcomers, Capesand and Spelevo. But this vulnerability, and another use-after-free issue impacting multiple Adobe Flash Player versions (CVE-2018-4878), were the only ones in Recorded Future's top 10 list unrelated to Microsoft.

Four of the remaining eight vulnerabilities in Recorded Future's top 10 most exploited list impacted Internet Explorer. One of them—CVE-2018-8174—a remote code execution flaw in the Windows VBScripting engine, was the second-most abused flaw this year—and the most exploited issue in 2018. Exploits for the flaw were distributed through multiple exploit kits including RIG, Fallout, Spelevo, and Capesand.

Troublingly, as many as six of the vulnerabilities in this year's list, were present in the 2018 top 10 as well. One of them—a critical remote code execution flaw in Microsoft Office/Wordpad (CVE-2017-0199)—has been on the list for three years. In fact only one security vulnerability in Recorded Future's 2019 top 10 list was disclosed the same year—CVE-2019-0752—a "Scripting Engine Memory Corruption Vulnerability" in Internet Explorer 10 and 11.

"The number of repeated vulnerabilities is significant because it reveals the long-term viability of certain vulnerabilities," says Kathleen Kuczma, sales engineer at Recorded Future. Vulnerabilities that are easy to exploit or impact a common technology are often incorporated into exploit kits and sold on criminal underground forums, she notes.

CVE-2017-0199, for instance, continues to be heavily exploited because it impacted multiple Microsoft products, specifically Microsoft Office 2007-2016, Windows Server 2008, and Windows 7 and 8. "The number of products impacted coupled with its inclusion in multiple exploit kits makes it a viable vulnerability to continue to exploit. Kuczma says.

Another reason criminals continue exploiting certain vulnerabilities is simply because they work. Organizations often can take a long time to address known vulnerabilities even when the flaws are being actively exploited or being distributed through exploit kits.  Common reasons for delays in patching include concern over downtime and operational disruptions and concern over patches not working or breaking applications. Other reasons include a lack of visibility and an inability to identify potentially vulnerable systems on a network.

Patching Challenges

"Many in security, primarily those that don't work on blue teams for large organizations, like to look through rose-tinted glasses," says Brian Martin, vice president of vulnerability intelligence at Risk Based Security. "The unfortunate reality is that patching all of the systems in a large organization is brutal."

It's not uncommon at all for penetration testers to discover systems on a target network that the hiring organization was not even aware about, he says.

Recorded Future's analysis showed a continuing decline in the use and availability of new exploit kits. At one time, exploit kits were extremely popular because they allowed even cybercriminals with relatively little skills the opportunity to execute sophisticated attacks. In 2016, Recorded Future counted at least 62 new exploit kits in underground markets. In 2019, they were just four new entrants.

The decline, which numerous security vendors and researchers have reported over the last two years or more, is primarily the result of multiple successful law enforcement action against the groups selling exploit kits. 

The 2016 arrests of dozens of individuals in Russia behind the Angler exploit kit operations, is just one example, Kuczma says. Another factor is the relatively scarcity of zero-day flaws which were what exploit kits primarily relied on to be successful. "With less zero-days, companies are better able to shore up their defenses against potential exploit kit usage," she notes.

Harrison Van Riper, strategy and research analyst at Digital Shadows, says another factor is the planned end-of-life of Adobe Flash this year. Adobe Flash used to be an extremely common attack vector and therefore popular among exploit kit-makers. But with the technology scheduled for termination this year and modern browsers not running Flash automatically any more, interest in exploit kits has dwindled.  

Lists like those from Recorded Future can help organizations identify the biggest immediate threats so remedial action can be prioritized. According to Recorded Future, less than 1% of all disclosed vulnerabilities are immediately weaponized. So by having information on the ones that are being actively exploited organizations can gain a better understanding of the specific issues impacting their technology stack.

"Vulnerabilities that are being actively exploited should be considered priorities for patching," Van Riper says. "Keeping up to date with newly-disclosed vulnerabilities and exploits, can also help with prioritizing patch processes."

Organizations need to realize that often, known vulnerabilities are exploited actively before a CVE number is assigned to it, says Martin from Risk Based Security.

According to the company, the CVE and National Vulnerability Database system often does not include many security vulnerabilities that researchers discover and disclose in various ways. In a report last year, Risk Based Security warned that organizations relying solely on the CVS/NVD system likely are not getting information on nearly one-third of all disclosed vulnerabilities. Risk Based Security has said its researchers found 5,970 more vulnerabilities last year than reported in the NVD. Of that, over 18% had a severity rating of between 9 and 10.

"While such a list is interesting and helpful, a more interesting nuance for the list would be to note the vulnerabilities but show a 'time to CVE assignment' metric," he says. This can help determine how long a security bug went from first recorded exploitation to the CVE being assigned to the CVE being opened and made public.

For organizations, the key takeaway is to pay attention to patching. "Vulnerability management has become a major priority recently, given the proliferation of attacks that rely on exploits that have existing patches," says Rui Lopes, engineering and technical support director at Panda Security. "A rock-solid process for assessing and deploying patches should be the bedrock of every organization’s vulnerability management plan."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "C-Level & Studying for the CISSP."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/1/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-01
The Web application on Rittal CMC PU III 7030.000 V3.00 V3.11.00_2 to V3.15.70_4 devices fails to sanitize user input on the system configurations page. This allows an attacker to backdoor the device with HTML and browser-interpreted content (such as JavaScript or other client-side scripts) as the c...
PUBLISHED: 2020-10-01
In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.
PUBLISHED: 2020-10-01
Unisys Stealth(core) before 4.0.132 stores Passwords in a Recoverable Format.
PUBLISHED: 2020-10-01
Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurences of a non-inline header.
PUBLISHED: 2020-10-01
Envoy master between 2d69e30 and 3b5acb2 may fail to parse request URL that requires host canonicalization.