Vulnerabilities / Threats

5/6/2016
11:00 AM
Jai Vijayan
Jai Vijayan
Slideshows
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

The 10 Worst Vulnerabilities of The Last 10 Years

From the thousands of vulns that software vendors disclosed over the past 10 years, a few stand out for being a lot scarier than the rest.
Previous
1 of 11
Next

Image Source: Software Bug

Image Source: Software Bug

Security vulnerabilities are a fact of life in modern software.

Nearly every product from every vendor has vulnerabilities, and some of them more so than others.

Take Microsoft for instance. CVE Details, a site that chronicles publicly disclosed vulnerabilities shows that in the 10 years starting with 2006 the company has disclosed an astonishing 3,157 security flaws in its products at the rate of more than one vulnerability every two days.

Some 50 percent of them involved errors that allowed malicious code execution. Exploits were created for a total of 192 of those flaws.

But Microsoft is in no way alone. In second place behind it is Oracle with a tally of over 3,100 disclosed vulnerabilities in the last 10 years of which more than 10 percent were announced in 2015. Apple’s products, generally perceived as being more secure than Microsoft’s software, rang up over 2,600 vulnerabilities in the last ten years, a staggering 689 or 26 percent of them in just the last year. Others with a relatively high number of vulnerabilities include IBM, Cisco and Adobe.

Choosing 10 of most egregious flaws from this massive compendium of software errors is not easy given the sheer number of vulnerabilities and range of products involved. Fortunately, only a relatively tiny number of the reported vulnerabilities were of the kind that posed a major threat to users. And only an even smaller number of them rose to the level of a threat with implications for a broad section of users. In some cases, bugs that were dangerous were not easy to exploit. In others, bugs that were easy to exploit did not pose a real threat to security.

Adobe Flash was especially noteworthy for the sheer number of flaws reported in the product in recent years. Though none of them made the Top 10 list, Flash Player vulnerabilities have proved to be a huge headache for everyone. A vulnerability analysis by Recorded Future last year showed that 8 of the top 10 vulnerabilities leveraged by exploit kit makers in 2015 involved Flash Player.

In the following pages (and in no particular order) are 10 vulnerabilities that stood out from the rest over the last 10 years.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Previous
1 of 11
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
nathanwburke
50%
50%
nathanwburke,
User Rank: Author
5/9/2016 | 12:05:52 PM
Re: OS vulnerabilities
It's a good point you raise about Mac vulnerabilities. Macs are certainly increasing in the enterprise, yet security products have been largely windows-centric. With attackers looking for a way in to gain access to other data on the network, a macbook without the same protection as the windows machines would be an attractive target. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/9/2016 | 9:14:01 AM
Re: OS vulnerabilities
@Ryan: Plus, only in the past few years have people even started to pay much attention to Apple platform security.  For years, as Apple's market share was relatively tiny, people -- including attackers -- didn't care much.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/9/2016 | 7:45:29 AM
Shellshock and Heartbleed
As they were not too long ago I know all to well the scramblings behind trying to remediate these two major vulnerabilities. They were so well publicized that non-security sides of the organization were inquiring about the patching efforts.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/9/2016 | 7:41:56 AM
Re: OS vulnerabilities
Yes, I think you will start to see this as more of a commonality with the increasing Mac footprint in the market. It hasn't quite extended over to the corporate side as fast as it has from a personal perspective but regardless Mac is definitely becoming more prevalent then before. With that comes more code for the OS and more opportunities for open holes.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/8/2016 | 12:03:07 PM
OS vulnerabilities
It's one thing to look at the past ten years in a single lump, but it's also worth noting that many more vulnerabilities are being found for Apple OS's than Microsoft OS's these days.

Case in point: informationweek.com/ios-security-reports-say-no-iphone-is-safe/a/d-id/1319750
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Compliance and Risk Management Officer, AvePoint, Inc,  8/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15601
PUBLISHED: 2018-08-21
apps/filemanager/handlers/upload/drop.php in Elefant CMS 2.0.3 performs a urldecode step too late in the "Cannot upload executable files" protection mechanism.
CVE-2018-15603
PUBLISHED: 2018-08-21
An issue was discovered in Victor CMS through 2018-05-10. There is XSS via the Author field of the "Leave a Comment" screen.
CVE-2018-15598
PUBLISHED: 2018-08-21
Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the configuration and secret if authentication is missing and the API's port is publicly reachable.
CVE-2018-15599
PUBLISHED: 2018-08-21
The recv_msg_userauth_request function in svr-auth.c in Dropbear through 2018.76 is prone to a user enumeration vulnerability because username validity affects how fields in SSH_MSG_USERAUTH messages are handled, a similar issue to CVE-2018-15473 in an unrelated codebase.
CVE-2018-0501
PUBLISHED: 2018-08-21
The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail.