Top 10 Security Vulnerabilities of 2017

top-10-vulnerabilities-of-2017---1Patching is an essential part of network security. Without it, security flaws are never fixed. Instead, they remain an open invitation to hackers.

But not every system can be patched immediately, and some patches are more important and must be prioritized.

Determining the most important patches depends many factors:

  • Value of the asset to be patched
  • Severity of the security vulnerability
  • Ease of exploiting the vulnerability
  • Likelihood of exploitation
  • Impact such an attack could have

Some factors – such as “likelihood of exploitation” can be difficult to gauge.

It’s impossible to know whether an organization will suffer an attack that targets a specific weakness. However, a few pieces of information can help predictions.

One helpful piece is the popularity of certain vulnerabilities in exploit kits.

An exploit is a piece of software that leverages a weakness in a target system in order to perform some type of attack – such as installing malware without the user’s knowledge.

Exploit kits are collections of exploits. They are mini-libraries of code designed to detect and exploit flaws in targeted systems. They’re often used on malicious websites to force malware onto visitors’ machines.

The kits are openly bought and sold on the dark web, and they are among the most popular tools used in cyber crime today.

A recent report from Recorded Future attempts to determine the most popular vulnerabilities used in exploit kits in 2017. It does this by monitoring chatter about the vulnerabilities in areas of the web where the kits are bought and sold.

The chart below shows the most popular vulnerabilities they found. We go through each of them below.

top-10-vulnerabilities-exploited-2017-1

All of the top 10 vulnerabilities listed can allow remote attackers to execute arbitrary code on the affected systems.

Also, seven of the top 10 are in Microsoft products, with the remaining three in Adobe products. This research was conducted during 2017.

In the two years prior, Adobe products dominated the list, largely due to a number of severe Flash vulnerabilities. The transition has occurred as the popularity of Flash has declined, according to Recorded Future’s report.

Vulnerability #1. CVE-2017-0199

Published: April 11, 2017

Severity: 9

Vendor: Microsoft

Products: Several versions of MS Office and Windows

The vulnerability has been observed in email phishing attacks and is liked to at least 11 branches of malware.

The attack typically encourages victims to download or preview a malicious Word document. On a vulnerable system, doing so will result in the download and execution of a script containing Powershell commands.

top-10-vulnerabilities-of-2017---2Vulnerability #2. CVE-2016-0189

AKA: Scripting Engine Remote Memory Corruption Vulnerability

Published: May 10, 2016

Severity: 7.5

Vendor: Microsoft

Products: Internet Explorer 9, 10, and 11 and other products.

This one can allow remote attackers to execute arbitrary code or cause a denial of service through memory corruption.

Exploits of this vulnerability have been discovered on malicious websites that attempt to perform drive-by-downloads on victims’ systems.

Vulnerability #3. CVE-2016-0022

AKA: Memory Corruption Vulnerability

Published: Feb. 10, 2016

Severity: 7.8

Vendor: Microsoft

Products: Multiple versions of MS Office, MS Word, and other products

Exploits are performed by encouraging a user to open a malicious file with MS Office, which causes the execution of a malicious script.

top-10-vulnerabilities-of-2017---3Vulnerability #4. CVE-2016-7200

AKA: Scripting Engine Memory Corruption Vulnerability

Published: Nov. 10, 2016

Severity: 7.5

Vendor: Microsoft

Products: Edge

This vulnerability can allow attackers to execute arbitrary code on victims’ systems or cause a denial of service via memory corruption.

Similar to the second vulnerability on this list (CVE-2016-0189), exploits are performed via a malicious website that attempts a drive-by download on victim’s systems.

Vulnerability #5. CVE-2016-7201

Published: Nov. 10, 2016

Severity: 7.5

Vendor: Microsoft

Products: Edge

The description of this vulnerability is nearly identical to number four on this list. They were even published the same day.

The CVE description notes it’s “a different vulnerability than CVE-2016-7200,” however both appear to apply to the Chakra JavaScript engine in Microsoft Edge and both can be exploited to perform drive-by-downloads on malicious websites.

top-10-vulnerabilities-of-2017---4Vulnerability #6. CVE-2015-8651

Published: Dec. 28, 2015

Severity: 8.8

Vendor: Adobe

Products: Flash Player on multiple platforms

Flash has long been derided for its poor security, and it’s far less common on the web today for this reason and others.

This is an integer overflow vulnerability that, when exploited, can allow attackers to execute arbitrary code on victims’ systems. This occurs via “unspecified vectors” according to the CVE description.

Vulnerability #7. CVE-2014-6332

Published: Nov. 11, 2014

Severity: 9.3

Vendor: Microsoft

Products: Several Microsoft operating systems including Windows Server 2003, 2008, and 2012 Gold, Windows Vista, 7, and 8.1, and others.

This is the oldest vulnerability on the top 10 list, and also earned the second-highest severity score.

When discovered, this flaw affected every version of Windows since 1995. This likely explains its continued popularity among cyber criminals.

top-10-vulnerabilities-of-2017---5Vulnerability #8. CVE-2016-4117

Published: May 10, 2016

Severity: 9.8

Vendor: Adobe

Products: All versions of Adobe Flash released before May 2016 (through version 21.0.0.226)

This vulnerability was first discovered in a zero-day attack in the wild. This vulnerability can allow attackers to execute arbitrary code, and it’s severity score ties for the highest of all vulnerabilities on the list.

The exploit uses a malicious SWF file, which is typically associated with animations viewable on Adobe Flash Player.

In the zero-day attack, researchers discovered instances of the exploit embedded in MS Word documents. The document was hosted on a server and then disseminated via URL and as an email attachment.

Vulnerability #9. CVE-2016-1019

Published: Apr. 7, 2016

Severity: 9.8

Vendor: Adobe

Products: All versions of Adobe Flash released before May 2016 (through version 21.0.0.226)

Just one month before the discovery of the zero-day Flash exploit described above, this equally severe Flash vulnerability was discovered – also as part of a zero-day attack.

Adobe rushed an emergency patch to the public in response. The flaw affected a range of operating systems, including Windows, Mac, Linux, and Chrome OS. Active exploits were observed for Windows XP and 7.

An exploit for the vulnerability was discovered in the Magnitude exploit kit and was used to install Locky ransomware.

Vulnerability #10. CVE-2017-0037

Published: Feb. 26, 2016

Severity: 8.1

Vendor: Microsoft

Products: Internet Explorer 10 and 11, and Edge

This vulnerability – you guessed it – can allow remote attackers to execute arbitrary code on victim’s systems.

The exploit allows attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code that operates on a TH element.

 

2017 Top Threats Report

 

Related resources

Top 8 Network Attacks by Type in 2017

Biggest Cyber Attacks 2017: How They Happened

Top 10 Security Vulnerabilities of 2013

 

 


Written by Calyptix

 - June 25, 2018

About Us

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology. Our customers do not waste time with security products designed for large enterprises. Instead, we make it easy for SMBs to protect and manage networks of up to 350 users.
GET STARTED
MSPRESELLER
home
contact
call us
call
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram