The 10 Worst Vulnerabilities of The Last 10 Years
From the thousands of vulns that software vendors disclosed over the past 10 years, a few stand out for being a lot scarier than the rest.
May 6, 2016
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt63863d2307fabc99/64f0dadcb0cab37d735b28fd/01-softwarebug.jpg?width=700&auto=webp&quality=80&disable=upscale)
Security vulnerabilities are a fact of life in modern software.
Nearly every product from every vendor has vulnerabilities, and some of them more so than others.
Take Microsoft for instance. CVE Details, a site that chronicles publicly disclosed vulnerabilities shows that in the 10 years starting with 2006 the company has disclosed an astonishing 3,157 security flaws in its products at the rate of more than one vulnerability every two days.
Some 50 percent of them involved errors that allowed malicious code execution. Exploits were created for a total of 192 of those flaws.
But Microsoft is in no way alone. In second place behind it is Oracle with a tally of over 3,100 disclosed vulnerabilities in the last 10 years of which more than 10 percent were announced in 2015. Apple’s products, generally perceived as being more secure than Microsoft’s software, rang up over 2,600 vulnerabilities in the last ten years, a staggering 689 or 26 percent of them in just the last year. Others with a relatively high number of vulnerabilities include IBM, Cisco and Adobe.
Choosing 10 of most egregious flaws from this massive compendium of software errors is not easy given the sheer number of vulnerabilities and range of products involved. Fortunately, only a relatively tiny number of the reported vulnerabilities were of the kind that posed a major threat to users. And only an even smaller number of them rose to the level of a threat with implications for a broad section of users. In some cases, bugs that were dangerous were not easy to exploit. In others, bugs that were easy to exploit did not pose a real threat to security.
Adobe Flash was especially noteworthy for the sheer number of flaws reported in the product in recent years. Though none of them made the Top 10 list, Flash Player vulnerabilities have proved to be a huge headache for everyone. A vulnerability analysis by Recorded Future last year showed that 8 of the top 10 vulnerabilities leveraged by exploit kit makers in 2015 involved Flash Player.
In the following pages (and in no particular order) are 10 vulnerabilities that stood out from the rest over the last 10 years.
This one is not a security vulnerability in the traditional sense of the world. However, its implications are broad and scary all the same considering the ubiquitous use of USBs, according to researchers from Germany-based Security Research Labs who first raised the issue in a Black Hat presentation in 2014.
The researchers showed how it is possible for attackers to convert a benign USB device into a malicious one by quietly reprogramming its controller chip through a firmware update. According to the researchers, widely used USB controller chips, such as those used in thumb drivers are not protected against such modification. Reprogrammed USB devices can be used to surreptitiously carry out a slew of malicious tasks including stealing data and files, installing malware, redirecting traffic and infecting other USB devices.
No effective mitigations were available against the threat, the researchers warned at the time of the vulnerability disclosure.
Image Source: Nrbelex
Source Location: Wikimedia Commons
The Virtualized Environment Neglected Operations Manipulation (VENOM) vulnerability disclosed by CrowdStrike in 2015 was another of those critical vulnerabilities that elicited a somewhat mixed response from security researchers. While some described the threat as being more worrisome than Heartbleed, others noted that VENOM was a lot harder to exploit than the former and therefore was likely to be used for targeted attacks rather than mass attacks.
The flaw existed in a floppy-disk controller of the QEMU (Quick Emulator) hypervisor and other hypervisors like Xen and KVM that use some of its code. The reason why VENOM attracted considerable attention when it was announced (and why it merits mention as a major flaw) was because the vulnerability gave attackers a way to break out of the confines of a virtual machine. It allowed them to execute malicious code on a host machine and on other virtual machines on the same, shared host. VENOM enabled precisely the kind of attack that many had theorized would never be possible in a secure cloud environment.
The Virtualized Environment Neglected Operations Manipulation (VENOM) vulnerability disclosed by CrowdStrike in 2015 was another of those critical vulnerabilities that elicited a somewhat mixed response from security researchers. While some described the threat as being more worrisome than Heartbleed, others noted that VENOM was a lot harder to exploit than the former and therefore was likely to be used for targeted attacks rather than mass attacks.
The flaw existed in a floppy-disk controller of the QEMU (Quick Emulator) hypervisor and other hypervisors like Xen and KVM that use some of its code. The reason why VENOM attracted considerable attention when it was announced (and why it merits mention as a major flaw) was because the vulnerability gave attackers a way to break out of the confines of a virtual machine. It allowed them to execute malicious code on a host machine and on other virtual machines on the same, shared host. VENOM enabled precisely the kind of attack that many had theorized would never be possible in a secure cloud environment.
Security vulnerabilities are a fact of life in modern software.
Nearly every product from every vendor has vulnerabilities, and some of them more so than others.
Take Microsoft for instance. CVE Details, a site that chronicles publicly disclosed vulnerabilities shows that in the 10 years starting with 2006 the company has disclosed an astonishing 3,157 security flaws in its products at the rate of more than one vulnerability every two days.
Some 50 percent of them involved errors that allowed malicious code execution. Exploits were created for a total of 192 of those flaws.
But Microsoft is in no way alone. In second place behind it is Oracle with a tally of over 3,100 disclosed vulnerabilities in the last 10 years of which more than 10 percent were announced in 2015. Apple’s products, generally perceived as being more secure than Microsoft’s software, rang up over 2,600 vulnerabilities in the last ten years, a staggering 689 or 26 percent of them in just the last year. Others with a relatively high number of vulnerabilities include IBM, Cisco and Adobe.
Choosing 10 of most egregious flaws from this massive compendium of software errors is not easy given the sheer number of vulnerabilities and range of products involved. Fortunately, only a relatively tiny number of the reported vulnerabilities were of the kind that posed a major threat to users. And only an even smaller number of them rose to the level of a threat with implications for a broad section of users. In some cases, bugs that were dangerous were not easy to exploit. In others, bugs that were easy to exploit did not pose a real threat to security.
Adobe Flash was especially noteworthy for the sheer number of flaws reported in the product in recent years. Though none of them made the Top 10 list, Flash Player vulnerabilities have proved to be a huge headache for everyone. A vulnerability analysis by Recorded Future last year showed that 8 of the top 10 vulnerabilities leveraged by exploit kit makers in 2015 involved Flash Player.
In the following pages (and in no particular order) are 10 vulnerabilities that stood out from the rest over the last 10 years.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024