You patched yet? Years-old Microsoft security holes still hot targets for cyber-crooks

Trending 2 weeks ago

It's mostly accepted that information flaws successful Microsoft's products are a apical magnet for crooks and fraudsters: its sprawling empire of hardware and package is simply a target-rich ecosystem successful that location is simply a wide scope of bugs to exploit, and a immense number of susceptible organizations and users.

And truthful we tin judge it erstwhile Qualys yesterday said 15 of nan 20 most-exploited package vulnerabilities it has observed are successful Microsoft's code.

These are nan vulnerabilities abused by miscreants to infect victims' systems pinch ransomware, change aliases bargain data, and remotely dispersed malware aliases takeover devices. Qualys's method for ranking these information holes took into relationship respective factors, we're told, including nan number of attackers known to utilization nan vulnerability. 

Notably, older vulnerabilities were fixed little weight though that doesn't look to person helped Microsoft's case. The No. 1 flaw connected nan database was patched successful November 2017, a codification execution spread successful Microsoft Office's Equation Editor we'd person hoped had been mostly mitigated by now. Finally, much mature utilization codification and inclusion successful nan US government's CISA database of top-exploited vulnerabilities will besides boost a bug's rank connected Qualys' index. Thus, beryllium alert this database isn't conscionable sorted by complaint of exploitation; location are different points Qualys has considered.

Above all, it shows that Microsoft remains an charismatic target for criminals and snoops, acknowledgment to nan decades-old IT giant's extended personification base.

"Ultimately, this boils down to return connected finance from an attacker's perspective," Mehul Revankar, a merchandise guidance veep astatine Qualys, told The Register. "Attackers are much apt to attraction connected Microsoft-based applications owed to nan larger number of susceptible systems, expanding their chances of successfully exploiting and infiltrating organizations."

Microsoft declined to comment.

In summation to nan Windows maker, different vendors connected nan apical 20 database see Oracle pinch 3 heavy exploited bugs, and Linux, Jira Atlassian, Apache, Citrix, Ivanti, and Fortinet pinch 1 each.

6-year-old CVE still going strong

The No. 1 vulnerability is simply a six-year aged representation corruption bug successful Microsoft Office, tracked arsenic CVE-2017-11882, has been exploited arsenic precocious arsenic August 31, according to Qualys. 

"If nan personification has administrative rights, nan attacker could summation complete power of nan system, instal programs, change data, aliases create caller personification accounts pinch afloat privileges," wrote Ramesh Ramachandran, Qualys main merchandise head for vulnerability management, discovery and response, successful revealing nan top-20 list. 

"This vulnerability will beryllium exploited if nan personification opens a specially crafted file, perchance sent via email aliases hosted connected a compromised website."

Since it was fixed successful 2017, nan rumor has been exploited by dozens of attackers and gangs, and utilized to deploy 467 malware variants and 14 types of ransomware, we're told. The vulnerability is chiefly abused for espionage purposes and utilized to deploy data-stealing software. CISA included nan bug successful its Additional Routinely Exploited Vulnerabilities successful 2022 list, and it topped nan US-CERT's database of most-exploited flaws backmost successful 2020. 

Last summer, Kaspersky researchers attributed attacks that abused this bug to Chinese cybercrime pack TA428. The cyberspies exploited CVE-2017-11882 to discuss much than a twelve organizations successful respective Eastern European countries, including Belarus, Russia, and Ukraine, and Afghanistan, installing backdoors and past stealing confidential information from subject and business groups.

  • Malware loader lowdown: The large 3 responsible for 80% of attacks truthful acold this year
  • Apple opens yearly applications for free hackable iPhones
  • Barracuda gateway attacks: How Chinese snoops support a grip connected victims' networks
  • More Okta customers trapped successful Scattered Spider's web

The No. 2 flaw, CVE-2017-0199, was besides fixed backmost successful 2017. It's a distant codification execution vulnerability that affects circumstantial Microsoft Office and WordPad versions erstwhile they parse specially crafted files. 

To utilization CVE-2017-0199, an attacker would person to instrumentality a personification into opening aliases previewing a malicious record — usually sent via a phishing email. And, again, it's worthy noting that Redmond addressed nan rumor by, according to nan package titan, "correcting nan measurement that Microsoft Office and WordPad parses specially crafted files, and by enabling API functionality successful Windows that Microsoft Office and WordPad will leverage to resoluteness nan identified issue."

Over nan years, it was exploited by 93 strains of malware, 53 attackers, and 5 ransomware families, according to Qualys, which adds that this vulnerability was "trending successful nan chaotic arsenic precocious arsenic September 4."

Back to 2012

If nan first 2 years-old information holes weren't bad enough, nan 3rd flaw connected Qualys' database is simply a distant codification execution vulnerability successful Windows Common Controls that dates backmost to 2012. It's tracked arsenic CVE-2012-0158.

An attacker would request to person a personification to sojourn a malicious website laced pinch codification designed to utilization nan vulnerability. Assuming a crook had occurrence doing that — and, according to Qualys, 45 different attackers did — they could summation nan aforesaid privileges arsenic nan logged-on user.

"If nan personification has administrative privileges, this could mean full power of nan affected system," Ramachandran wrote. "This vulnerability has been notably exploited successful various cyber-attacks, enabling attackers to instal programs, manipulate data, aliases create caller accounts pinch afloat personification rights."

The No. 4 classed vulnerability is yet different RCE bug successful Microsoft Office and WordPad tracked arsenic CVE-2017-8570. It requires an attacker to instrumentality a personification into opening a malicious file, and tin beryllium abused to download and tally malware connected victims' computers.

The afloat database of each 20 vulnerabilities tin beryllium recovered here. And successful closing: please, people, update your package and instal patches successful a timely manner. Let's not support making it immoderate easier for criminals. ®