lolloj - Fotolia
A remote code execution vulnerability in the Windows common controls remains one of the most popular to exploit – five years after it was patched, data shows.
CVE-2010-2568 ranked as the third most referenced vulnerability by suppliers in AlienVault’s Open Threat Exchange (OTX) platform in 2017, underlining the importance of effective enterprise security patching programmes.
An attacker could exploit the vulnerability by constructing a specially crafted webpage, according to Microsoft’s original security notice. “When a user views the webpage, the vulnerability could allow remote code execution,” the security notice said. “An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.”
Sophos described the exploit as “arguably one of the most exploited vulnerabilities of the last decade”. And it continues to be extremely popular, according to the first in a series of three blog posts by AlienVault based on the 2017 OTX data, which is based on billions of anonymised security events reported by software suppliers and customers.
According to AlienVault, OTX is the world’s largest crowd-sourced threat intelligence platform, with more than 26,000 participants in 140 countries who share more than one million potential threats each day.
“A patch for CVE-2012-0158 has been available since April 2012,” said Chris Doman, security researcher at AlienVault. “However, clearly there are still a large number of organisations out there that haven’t patched for five years or more.
“It is a fairly reliable exploit and there are lots of tools available to allow unsophisticated attackers to easily exploit it. Therefore, it is important for IT teams to keep up to date with patching exploits, particularly those affecting commonly targeted platforms, such as Microsoft Office.”
Javvad Malik, security advocate at AlienVault, said it is important for IT teams to address and prioritise the exploits that are most relevant to their enterprise.
“This would be a combination of understanding what exploits are most prevalent, and which systems are most vulnerable – from both the perspective of quantity as well as value,” he said.
Topping the list of most-reported exploits is CVE-2017-0199, a remote code execution vulnerability in the way that Microsoft Office and WordPad parse specially crafted files.
An attacker who successfully exploits this vulnerability could take control of an affected system to install programs view, change or delete data, or create new accounts with full user rights.
This exploit is “extremely popular”, said Doman and Malik, noting that it has been used by targeted attackers in locations as diverse as North Korea (FreeMilk), China (Winnti) and Iran (Oilrig). It has also been heavily abused by criminal gangs, such as some of those deploying Dridex.
“CVE-2017-0199 was identified from in-the-wild attacks by FireEye in April 2017,” said Doman. “The initial malware indicates the attackers were customers of FinFisher, and were likely targeting users in Russia. It allows attackers to execute malware, delivered by Microsoft Word documents. It exploits a flaw in the Windows OLE interface.”
Doman and Malik list eight other most-referenced exploits in 2017, as well as the top 10 exploits being reported by AlienVault customers to enable organisations to priortise which security updates to apply.
“We hope the list of targeted exploits will help businesses double-check that they are not vulnerable to the most commonly used exploits,” said Doman.
Other standout findings from the data covering 2017, said Doman and Malik, include the fact that most effective exploits quickly proliferate between a number of criminal and nation state groups, and that njRat malware variants were the most prevalent malware persisting on networks.
“Microsoft has exceptionally mature processes to prevent exploits,” the blog post said. “However, due to their software’s ubiquity, once an exploit does slip through and is discovered, it is used heavily.”
Underlining the growing prevalence of mobile malware, the blog post said the highest-ranked exploit for an operating system other than Microsoft Windows is CVE-2013-6282. “This has been used by Android malware to escalate privileges once installed on a victim’s phone,” the blog post said.
The blog post also noted there has been a significant increase in reports on attackers reportedly located in Russia and North Korea, that there has been a significant drop in reports of activity emanating from groups operating from China, and that four of the 10 most popular domains associated with malware in 2017 – including the domain associated with WannaCry – were sinkholed by MalwareTech, also known as Marcus Hutchins.
After being hailed as a hero for halting the WannaCry attacks, Hutchins was arrested in Las Vegas in August 2017 on charges of helping to create and distribute the Kronos banking Trojan that was designed to steal funds from online bank accounts between July 2014 and July 2015. Hutchins has denied all links to the Kronos malware, and is currently on bail in Los Angeles, where is waiting for a date to be set for his trial in Wisconsin.