Cybersecurity and Infrastructure Protection Agency (CISA), part of the US Department of Homeland Security, and the Federal Bureau of Investigation (FBI) published the TOP 10 software vulnerabilities, most commonly exploited in 2016-2019.
The list includes vulnerabilities used by both government-funded hackers and civil cybercriminals.
“The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Government are providing this technical guidance to advise IT security professionals at public and private sector organizations to place an increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors”, — says published report.
According to the CISA report, unlike zero-day bug, exploiting these vulnerabilities require less resources.
“An agreed campaign to fix these vulnerabilities would interfere with the work methods of foreign adversaries and force them to develop or acquire more expensive and less effective exploits”, — said the report.
Most often, the following vulnerabilities were exploited in attacks in 2016-2019:
- CVE-2017-11882: Present in Microsoft Equation Formula Editor and affects Microsoft Office products. Microsoft fixed it in November 2017;
- CVE-2017-0199: affects Microsoft Office and allows executing arbitrary code, downloading malware and gaining control over the victim’s computer. Microsoft fixed it in April 2017;
- CVE-2017-5638: Apache Struts arbitrary code execution vulnerability. Oracle fixed it in September 2017;
- CVE-2012-0158: arbitrary code execution vulnerability in the Microsoft ActiveX Common Control component of the Windows operating system. Microsoft fixed it in April 2012;
- CVE-2019-0604: Affects Microsoft SharePoint and was fixed in February 2019;
- CVE-2017-0143: Type confusion used error between WriteAndX and transaction requests. Affects Microsoft Windows, was fixed in March 2017;
- CVE-2018-4878: arbitrary code execution vulnerability in Adobe Flash Player. It was fixed in February 2018;
- CVE-2017-8759: arbitrary code execution vulnerability in the .NET Framework. It was fixed in September 2017;
- CVE-2015-1641: arbitrary code execution vulnerability in Microsoft Windows. It was fixed by Microsoft in April 2015;
- CVE-2018-7600: Drupal arbitrary code execution vulnerability. It was fixed in March 2018.
I also recall that FBI warned about increase of supply chains attacks.