Patching is an essential part of network security. Without it, security flaws are never fixed. Instead, they remain an open invitation to hackers.
But not every system can be patched immediately, and some patches are more important and must be prioritized.
Determining the most important patches depends many factors:
Some factors – such as “likelihood of exploitation” can be difficult to gauge.
It’s impossible to know whether an organization will suffer an attack that targets a specific weakness. However, a few pieces of information can help predictions.
One helpful piece is the popularity of certain vulnerabilities in exploit kits.
An exploit is a piece of software that leverages a weakness in a target system in order to perform some type of attack – such as installing malware without the user’s knowledge.
Exploit kits are collections of exploits. They are mini-libraries of code designed to detect and exploit flaws in targeted systems. They’re often used on malicious websites to force malware onto visitors’ machines.
The kits are openly bought and sold on the dark web, and they are among the most popular tools used in cyber crime today.
A recent report from Recorded Future attempts to determine the most popular vulnerabilities used in exploit kits in 2017. It does this by monitoring chatter about the vulnerabilities in areas of the web where the kits are bought and sold.
The chart below shows the most popular vulnerabilities they found. We go through each of them below.
All of the top 10 vulnerabilities listed can allow remote attackers to execute arbitrary code on the affected systems.
Also, seven of the top 10 are in Microsoft products, with the remaining three in Adobe products. This research was conducted during 2017.
In the two years prior, Adobe products dominated the list, largely due to a number of severe Flash vulnerabilities. The transition has occurred as the popularity of Flash has declined, according to Recorded Future’s report.
Published: April 11, 2017
Severity: 9
Vendor: Microsoft
Products: Several versions of MS Office and Windows
The vulnerability has been observed in email phishing attacks and is liked to at least 11 branches of malware.
The attack typically encourages victims to download or preview a malicious Word document. On a vulnerable system, doing so will result in the download and execution of a script containing Powershell commands.
AKA: Scripting Engine Remote Memory Corruption Vulnerability
Published: May 10, 2016
Severity: 7.5
Vendor: Microsoft
Products: Internet Explorer 9, 10, and 11 and other products.
This one can allow remote attackers to execute arbitrary code or cause a denial of service through memory corruption.
Exploits of this vulnerability have been discovered on malicious websites that attempt to perform drive-by-downloads on victims’ systems.
AKA: Memory Corruption Vulnerability
Published: Feb. 10, 2016
Severity: 7.8
Vendor: Microsoft
Products: Multiple versions of MS Office, MS Word, and other products
Exploits are performed by encouraging a user to open a malicious file with MS Office, which causes the execution of a malicious script.
AKA: Scripting Engine Memory Corruption Vulnerability
Published: Nov. 10, 2016
Severity: 7.5
Vendor: Microsoft
Products: Edge
This vulnerability can allow attackers to execute arbitrary code on victims’ systems or cause a denial of service via memory corruption.
Similar to the second vulnerability on this list (CVE-2016-0189), exploits are performed via a malicious website that attempts a drive-by download on victim’s systems.
Published: Nov. 10, 2016
Severity: 7.5
Vendor: Microsoft
Products: Edge
The description of this vulnerability is nearly identical to number four on this list. They were even published the same day.
The CVE description notes it’s “a different vulnerability than CVE-2016-7200,” however both appear to apply to the Chakra JavaScript engine in Microsoft Edge and both can be exploited to perform drive-by-downloads on malicious websites.
Published: Dec. 28, 2015
Severity: 8.8
Vendor: Adobe
Products: Flash Player on multiple platforms
Flash has long been derided for its poor security, and it’s far less common on the web today for this reason and others.
This is an integer overflow vulnerability that, when exploited, can allow attackers to execute arbitrary code on victims’ systems. This occurs via “unspecified vectors” according to the CVE description.
Published: Nov. 11, 2014
Severity: 9.3
Vendor: Microsoft
Products: Several Microsoft operating systems including Windows Server 2003, 2008, and 2012 Gold, Windows Vista, 7, and 8.1, and others.
This is the oldest vulnerability on the top 10 list, and also earned the second-highest severity score.
When discovered, this flaw affected every version of Windows since 1995. This likely explains its continued popularity among cyber criminals.
Published: May 10, 2016
Severity: 9.8
Vendor: Adobe
Products: All versions of Adobe Flash released before May 2016 (through version 21.0.0.226)
This vulnerability was first discovered in a zero-day attack in the wild. This vulnerability can allow attackers to execute arbitrary code, and it’s severity score ties for the highest of all vulnerabilities on the list.
The exploit uses a malicious SWF file, which is typically associated with animations viewable on Adobe Flash Player.
In the zero-day attack, researchers discovered instances of the exploit embedded in MS Word documents. The document was hosted on a server and then disseminated via URL and as an email attachment.
Published: Apr. 7, 2016
Severity: 9.8
Vendor: Adobe
Products: All versions of Adobe Flash released before May 2016 (through version 21.0.0.226)
Just one month before the discovery of the zero-day Flash exploit described above, this equally severe Flash vulnerability was discovered – also as part of a zero-day attack.
Adobe rushed an emergency patch to the public in response. The flaw affected a range of operating systems, including Windows, Mac, Linux, and Chrome OS. Active exploits were observed for Windows XP and 7.
An exploit for the vulnerability was discovered in the Magnitude exploit kit and was used to install Locky ransomware.
Published: Feb. 26, 2016
Severity: 8.1
Vendor: Microsoft
Products: Internet Explorer 10 and 11, and Edge
This vulnerability – you guessed it – can allow remote attackers to execute arbitrary code on victim’s systems.
The exploit allows attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code that operates on a TH element.
Top 8 Network Attacks by Type in 2017
Biggest Cyber Attacks 2017: How They Happened
Top 10 Security Vulnerabilities of 2013