Newly-discovered zero-day vulnerabilities may generate the biggest headlines in the security press, but that doesn’t mean that they’re necessarily the thing that will get your company hacked.

This week, US-CERT has published its list of what it describes as the “Top 10 Routinely Exploited Vulnerabilities” for the last three years.

The list is designed to galvanise IT security teams at both public and private sector organisations into putting a greater priority into patching vulnerabilities, before they can be exploited by malicious hackers.

As US-CERT explains, state-sponsored hackers have sophisticated capabilities but they may prefer to keep them for specific targets. Instead, the DHS’s Computer Emergency Readiness Team warns that attackers continue to “exploit publicly known—and often dated—software vulnerabilities against broad target sets” because exploitation “often requires fewer resources as compared with zero-day exploits for which no patches are available.”

The top ten security vulnerabilities

  1. CVE-2017-11882 – a remote code execution vulnerability in Microsoft Office products, and has been used by a variety of malware to bypass security measures on vulnerable computers. The flaw has been known about since 2017, but actually dates back to a buggy Office component – Microsoft Equation Editor – compiled in November 2000.
  2. CVE-2017-0199 – this remote code execution bug in Microsoft Office allows an attacker to run malware on a user’s computer via a boobytrapped document. It is frequently seen being used by banking and spyware trojans such as Dridex.
  3. CVE-2017-5638 – a remote code execution vulnerability in Apache Struts, most infamously exploited in the massive Equifax data breach of 2017.
  4. CVE-2012-0158 – despite being eight years old, this bug in Windows ActiveX is still unpatched on many people’s computers, and is exploited by the likes of the Dridex banking trojan.
  5. CVE-2019-0604 – a SharePoint remote code execution flaw that has been blamed for (Read more...)