Which vulnerabilities were most exploited by cyber-criminals in 2019?
Which ten software vulnerabilities should you patch as soon as possible (if you haven’t already)?
The list is comprised of two vulnerabilities in Adobe Flash Player, four vulnerabilities affecting Microsoft’s Internet Explorer browser, three MS Office flaws and one WinRAR bug. Most have been flagged and patched in the last few years – as can be seen by their CVE numbers – but one of them dates as far back as 2012.
With all of this in mind, it’s advised that admins should prioritize the patching of Microsoft products (and all the aforementioned vulnerabilities), automatically disable Flash Player wherever possible, remove affected software if it’s not needed, and install browser ad-blockers to prevent exploitation via advertising.
[inject id=’code-47fd23f73a9caecab1e206306adae7f9′]
The top-10 cyber-exploits of 2019
CVE-2018-15982 – a use-after-free in the Flash’s file package com.adobe.tvsdk.mediacore.metadata that can be exploited to deliver and execute malicious code on a victim’s computer.
CVE-2018-8174 – Windows VBScript Engine Remote Code Execution Vulnerability.
CVE-2017-11882 – takes advantage of a vulnerability in an older version of the Office Equation Editor, which was manually patched by Microsoft in November 2017. This vulnerability’s malicious payload is detected as Trojan:MSIL/Cretasker.
CVE-2018-4878 – Flash Player vulnerability
CVE-2019-0752 – MS Office Scripting Engine Memory Corruption Vulnerability
CVE-2017-0199 – MS Office zero-day vulnerability which delivers the Dridex banking malware
CVE-2015-2419 – MS Internet Explorer (IE) vulnerability
CVE-2018-20250 – WinRAR vulnerability that allows attackers to extract a malicious executable to one of the Windows Startup folder to be executed every time the system is booted.
CVE-2017-8750 – Microsoft Browser Memory Corruption Vulnerability
CVE-2012-0158 – a vulnerability in MSCOMCTL.OCX in Microsoft Office and some other Microsoft products.
Some exploits persisted over the years, some didn’t last that long
See how the top-10 list evolved over the years. Colors denote repeat appearances on the list:
2019 | 2018 | 2017 | 2016 |
1. CVE-2018-15982 | 1. CVE-2018-8174 | 1. CVE-2017-0199 | 1. CVE-2016-0189 |
2. CVE-2018-8174 | 2. CVE-2018-4878 | 2. CVE-2016-0189 | 2. CVE-2016-1019 |
3. CVE-2017-11882 | 3. CVE-2017-11882 | 3. CVE-2017-0022 | 3. CVE-2016-4117 |
4. CVE-2018-4878 | 4. CVE-2017-8750 | 4. CVE-2016-7200 | 4. CVE-2015-8651 |
5. CVE-2019-0752 | 5. CVE-2017-0199 | 5. CVE-2016-7201 | 5. CVE-2016-0034 |
6. CVE-2017-0199 | 6. CVE-2016-0189 | 6. CVE-2015-8651 | 6. CVE-2016-1010 |
7. CVE-2015-2419 | 7. CVE-2017-8570 | 7. CVE-2014-6332 | 7. CVE-2014-4113 |
8. CVE-2018-20250 | 8. CVE-2018-8373 | 8. CVE-2016-4117 | 8. CVE-2015-8446 |
9. CVE-2017-8750 | 9. CVE-2012-0158 | 9. CVE-2016-1019 | 9. CVE-2016-3298 |
10. CVE-2012-0158 | 10. CVE-2015-1805 | 10. CVE-2017-0037 | 10. CVE-2015-7645 |
The top-10 list is comprised of two vulnerabilities in Adobe Flash Player, four vulnerabilities affecting Microsoft’s Internet Explorer browser, three MS Office flaws and one WinRAR bug. Most have been flagged and patched in the last few years – as can be seen by their CVE numbers – but one of them dates as far back as 2012.
Harmonizing risk and consequence strategies across IT and OT environments for greater cyber resilience
Strengthening OT Resilience: Protecting Critical Systems in a Rapidly Evolving Threat Environment
Quarterly ICS Security Report 2024 Q3