Newly-discovered zero-day vulnerabilities may generate the biggest headlines in the security press, but that doesn't mean that they're necessarily the thing that will get your company hacked. This week, US-CERT has published its list of what it describes as the "Top 10 Routinely Exploited Vulnerabilities" for the last three years. The list is designed to galvanise IT security teams at both public and private sector organisations into putting a greater priority into patching vulnerabilities, before they can be exploited by malicious hackers. As US-CERT explains, state-sponsored hackers have sophisticated capabilities but they may prefer to keep them for specific targets. Instead, the DHS's Computer Emergency Readiness Team warns that attackers continue to "exploit publicly known—and often dated—software vulnerabilities against broad target sets" because exploitation "often requires fewer resources as compared with zero-day exploits for which no patches are available."
The top ten security vulnerabilities
- CVE-2017-11882 - a remote code execution vulnerability in Microsoft Office products, and has been used by a variety of malware to bypass security measures on vulnerable computers. The flaw has been known about since 2017, but actually dates back to a buggy Office component - Microsoft Equation Editor - compiled in November 2000.
- CVE-2017-0199 - this remote code execution bug in Microsoft Office allows an attacker to run malware on a user's computer via a boobytrapped document. It is frequently seen being used by banking and spyware trojans such as Dridex.
- CVE-2017-5638 - a remote code execution vulnerability in Apache Struts, most infamously exploited in the massive Equifax data breach of 2017.
- CVE-2012-0158 - despite being eight years old, this bug in Windows ActiveX is still unpatched on many people's computers, and is exploited by the likes of the Dridex banking trojan.
- CVE-2019-0604 - a SharePoint remote code execution flaw that has been blamed for a mid-2019 attack that saw in hackers ultimately accessing the systems of the United Nations in Geneva and exfiltrating sensitive information held by the UN Office of the High Commissioner for Human Rights (OHCHR).
- CVE-2017-0143 - a remote code execution vulnerability in Microsoft SMB that has been incorporated into the EternalSynergy and EternalBlue exploit kits.
- CVE-2018-4878 - a vulnerability in versions of Adobe Flash Player that was first successfully exploited by attackers in the wild in early 2018.
- CVE-2017-8759 - a remote code execution vulnerability in the Microsoft .NET Framwework that is used by the notorious FinFisher spyware.
- CVE-2015-1641 - this Microsoft Office vulnerability allows an attacker to run malicious code on a target's computer via a boobytrapped RTF document.
- CVE-2018-7600 - a critical Drupal core vulnerability that has been exploited by cybercriminals to run cryptomining code known as Kitty.
US-CERT's website links to mitigation advice and security updates for the various vulnerabilities. Of course, sometimes it's not as simple a case as clicking an "Update now" button to update a particular piece of vulnerable software in your organisation. Up-to-date versions of the software may not work properly on older versions of the operating system, or may be incompatible with other software you relied upon to do daily business. It's too simplistic (and wrong) to accuse IT departments of not knowing about a particular vulnerability, or thinking that they simply cannot be bothered to patch against a known security hole. It may be that the department is well aware of the issue, but is weighing up what may be significant costs associated with replacing computer systems, modernising infrastructure, and the disruption it may cause. In a perfect world all vulnerabilities with published fixes would be patched by companies in a timely fashion, but we simply don't live in a perfect world. What IT security teams can do, argues Tripwire's Irfahn Khimji, is use the US-CERT list to help justify that work should be done now to improve a company's security rather than wait until later:
"Organizations with applications dependent on legacy systems need to weigh out the benefits and costs of modernizing their systems. While there can be significant cost to redeveloping applications, there are many significant benefits. Among them is that older systems are exploitable to some severe vulnerabilities that are actively and routinely being exploited. This list can be used to help businesses justify modernizing their platforms sooner rather than later."
US-CERT predictably reminds businesses that US interests would be served well through keeping systems patched and up-to-date:
"A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries."
Find out more about how Tripwire can help you in this video featuring Tyler Reguly, Tripwire's manager of security R&D. https://www.youtube.com/watch?v=eMoRqJbvrnA
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.