Microsoft products targeted by most widely-used exploits in 2019

Eight of the top ten most commonly exploited vulnerabilities used by cyber criminals last year comprised software developed by Microsoft, namely the Microsoft Office suite, WinRAR and Internet Explorer.

Microsoft products were the most-targeted exploits by the criminal underworld in 2019 through phishing, exploit kits or remote access trojans (RATs), with two flaws in Adobe’s Flash Player making up the full complement.

Staggeringly, six of the vulnerabilities, all impacting Microsoft, were repeats from 2018’s list of most-exploited flaws, according to a report by Recorded Future.

Four of the ten flaws alone affected Internet Explorer, suggesting that the legacy internet browser is still widely-deployed among organisations, with the remaining vulnerabilities comprising three for Office and one for WinRAR.

“Despite experiencing a drop in browser usage, Internet Explorer is still running in many enterprise environments, making it a top target for threat actors,” the report said. “Only two Adobe Flash vulnerabilities made the top 10, likely due to a combination of better patching and Flash Player’s impending demise in 2020.”

“Many vulnerability and patch management teams face the challenge of keeping up with countless product patch updates without having visibility into which vulnerabilities are actively exploited by cybercriminals.”

Despite there being more than 12,000 vulnerabilities with a CVE rating in 2019, this is fewer than in the 2018 calendar year, when there were 16,000 reported vulnerabilities. More than 1,000 of the 12,000 vulnerabilities recorded last year were prescribed a CVSS score of nine or higher, deeming them ‘critical’.

Moreover, the number of new exploit kits continued to decrease in 2019 versus the previous year, dropping from five to four. This trend was also true for RATs, with 23 new Trojans developed last year versus 37 in 2018.

Many of the top-ten exploited vulnerabilities for 2019 were flaws that were identified a number of years ago, including 9.3 CVSS-rated Office flaw CVE-2017-11882, and the 9.3 CVSS-rated Office flaw CVE-2012-0158.

Notably, the flaw CVE-2017-0199, which was also an Office flaw rated 9.3 in severity, was highlighted as one of the most exploited vulnerabilities for the past three consecutive years. This was targeted by several strains malware ranging from njRAT, to Pony, to QuasarRAT.

Two prominent vulnerabilities from 2019, namely EternalBlue and EternalRomance, were not included in the top ten due to adoption by nation-state hackers as opposed to run-of-the-mill cyber criminals.

Despite the prominence of Microsoft software targeted last year, the most widely-exploited was an Adobe Flash bug, dubbed CVE-2018-15982, which is a use-after-free vulnerability, meaning that memory can be accessed after it has been freed.

The researchers behind the report have taken this opportunity to urge organisations to prioritise patching Microsoft products in their respective technology stacks, over unpatched systems by other vendors.

Flash Player, meanwhile, should be automatically disabled on employees’ browser settings, with sites increasingly removing this technology ahead of Adobe dropping support for the video player on 31 December 2020.

With the average vulnerability staying alive for seven years, the researchers added, it’s important that organisations patch older vulnerabilities with just as much urgency as freshly exploited flaws.