Security vulnerabilities in Microsoft software have become an even more popular means of attack by cyber criminals - but an Adobe Flash vulnerability still ranks as the second most used exploit by hacking groups.
Analysis by researchers at Recorded Future of exploit kits, phishing attacks and trojan malware campaigns deployed during 2018 found that flaws in Microsoft products were the most consistently targeted during the course of the year, accounting for eight of the top ten vulnerabilities. That figure is up from seven during the previous year. Patches are available for all the flaws on the list - but not all users get around to applying them, leaving themselves vulnerable.
Microsoft is the most common target, likely thanks to how widespread use of its software is. The top exploited vulnerability on the list is CVE-2018-8174. Nicknamed Double Kill, it's a remote code execution flaw residing in Windows VBSsript which can be exploited through Internet Explorer.
Double Kill was included in four of the most potent exploit kits available to cyber criminals – RIG, Fallout, KaiXin and Magnitude – and they helped deliver some of the most notorious forms of banking trojan and ransomware to unsuspecting victims.
But the second most commonly observed vulnerability during the course of the year was one of only two which didn't target Microsoft software: CVE-2018-4878 is an Adobe Flash zero-day first identified in February last year.
An emergency patch was released within hours, but large numbers of users didn't apply it, leaving them open to attacks. CVE-2018-4878 has since been included in multiple exploit kits, most notably the Fallout Exploit Kit which is used to power GandCrab ransomware – the ransomware remains prolific to this day.
Adobe exploits used to be the most commonly deployed vulnerabilities by cyber criminals, but they appear to be going off it as we get closer to 2020.
Third in the most commonly exploited vulnerability list is CVE-2017-11882. Disclosed in December 2016, it's a security vulnerability in Microsoft Office which enables arbitrary code to run when a maliciously-modified file is opened – putting users at risk malware being dropped onto their computer.
Only a handful of vulnerabilities remain in the top ten on a year on year basis. CVE-2017-0199 – a Microsoft Office vulnerability which can be exploited to take control of an affected system– was the most commonly deployed exploit by cyber criminals in 2017, but slipped to the fifth most in 2018.
CVE-2016-0189 was the ranked vulnerability of 2016 and second ranked of 2017 and still features among the most commonly exploited exploits. The Internet Explorer zero-day is still going strong almost three years after it first emerged, suggesting there's a real issue with users not applying updates to their browsers.
Applying the appropriate patches to operating systems and applications can go a long way to protecting organisations against of some the most commonly deployed cyber attacks, as can having some intelligence on the potential risks posed by cyber attackers.
"The biggest take-away is the importance of having insight into vulnerabilities actively sold and exploited on underground and dark web forums," Kathleen Kuczma, sales engineer at Recorded Future told ZDNet.
"Although the ideal situation would be to patch everything, having an accurate picture of which vulnerabilities are impacting a company's most critical systems, paired with which vulnerabilities are actively exploited or in development, allows vulnerability management teams to better prioritize the most important places to patch," she added.
The only non-Microsoft vulnerability in the list aside from the Adobe vulnerability is CVE-2015-1805: a Linux kernel vulnerability which is often used to attack Android smartphones with malware.
The top ten most commonly exploited vulnerabilities – and the software they target – according to the Recorded Future Annual Vulnerability report are:
- CVE-2018-8174 – Microsoft
- CVE-2018-4878 – Adobe
- CVE-2017-11882 – Microsoft
- CVE-2017-8750 – Microsoft
- CVE-2017-0199 – Microsoft
- CVE-2016-0189 – Microsoft
- CVE-2017-8570 – Microsoft
- CVE-2018-8373 – Microsoft
- CVE-2012-0158 – Microsoft
- CVE-2015-1805 – Google Android