Many vulnerabilities were the same as previous years
Cyber-criminals have been able to exploit more vulnerabilities in Microsoft products compared to other companies for the third straight year.
According to a report by Recorded Future, of the ten most common software flaws detetcted during 2019, Microsoft products outweighed those from other vendors.
Four of the most popular exploits targeted Internet Explorer, while Adobe Flash, which is close to the end of its life cycle, was also heavily hit. Of the top ten issues, eight could be exploited using phishing attacks, exploit kits, or Remote Access Trojans (RAT).
- Critical Cisco vulnerabilities put millions of network devices at risk
- Microsoft paid out millions in bug bounties last year
- HackerOne pays up after data incident
The report was formed by analysing approximately 12,000 vulnerabilities reported through the Common Vulnerabilities and Exposure (CVE) system last year.
Bugs like the use-after-free issue, remote code execution flaw in the Windows VBScripting engine, critical remote code execution flaw in Microsoft Office/Wordpad and Scripting Engine Memory Corruption Vulnerability, etc. featured among the most exploited vulnerabilities list in 2019 and earlier as well. These long-term vulnerabilities which are easy to exploit and impact a large scale of the user base, are often sold in the market of illegal software.
The CVE-2017-0199 vulnerability has been exploited the most since it impacts key products like Microsoft Office 2007-2016, Windows Server 2008, and Windows 7 and 8. One of the key reasons behind the delay in patching these bugs is the fear of downtime or operational disruptions. Companies at times even fear that these patches may break the already working product.
The report also suggests that the availability of exploit kits has come down drastically over the last few years. It reports that in 2016 there were 62 new exploit kits available in the market while only four made their way to the market in 2019.