“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft”

The Top 10 most exploited vulnerabilities of the past four years include a software bug — CVE-2012-0158 — first reported in April 2012, a new report from the FBI and the US’s Cybersecurity and Infrastructure Security Agency (CISA) reveals, in yet another reminder that poor patching regimes/legacy software continue to help facilitate data breaches and other malicious intrusions.

The code that CVE-2012-0158 exploits is housed within the Microsoft Windows Common Control Library, a Dynamic Linked Library (DLL).

Vulnerabilities in the ListView, ListView2, TreeView, and TreeView2 ActiveX controls let attackers execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file. Malware authors over the years have built thousands of different ways to harness the vulnerability and obfuscate exploits.

CVE-2012-0158: What’s Vulnerable?

Vulnerable software includes Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; Visual FoxPro 9.0 SP2; and Visual Basic 6.0, among others.

(Yes, these all still have many users, if with dwindling numbers.)

Top 10 Most Exploited Vulnerabilities: Public and Private Sector Need a “Concerted Campaign to Patch these Vulnerabilities”

CISA and the FBI lament that “foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations.”

They added this week: “The public and private sectors could degrade some foreign cyber threats to U.S. interests through an increased effort to patch their systems and implement programs to keep system patching up to date.

“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective.”

These are the Top 10, as listed by CISA.

CVE-2017-11882

Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products

Associated Malware: Loki, FormBook, Pony/FAREIT

Mitigation: Update affected Microsoft products with the latest security patches

More Detail: https://nvd.nist.gov/vuln/detail/CVE-2017-11882

IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133e

CVE-2017-0199

Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1

Associated Malware: FINSPY, LATENTBOT, Dridex

Mitigation: Update affected Microsoft products with the latest security patches

More Detail: https://nvd.nist.gov/vuln/detail/CVE-2017-0199

IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133g, https://www.us-cert.gov/ncas/analysis-reports/ar20-133h, https://www.us-cert.gov/ncas/analysis-reports/ar20-133p

CVE-2017-5638

Vulnerable Products: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1

Associated Malware: JexBoss

Mitigation: Upgrade to Struts 2.3.32 or Struts 2.5.10.1

More Detail: https://www.us-cert.gov/ncas/analysis-reports/AR18-312A https://nvd.nist.gov/vuln/detail/CVE-2017-5638



CVE-2012-0158

Vulnerable Products: Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0

Associated Malware: Dridex

Mitigation: Update affected Microsoft products with the latest security patches

More Detail: https://www.us-cert.gov/ncas/alerts/aa19-339a https://nvd.nist.gov/vuln/detail/CVE-2012-0158

IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133i, https://www.us-cert.gov/ncas/analysis-reports/ar20-133j, https://www.us-cert.gov/ncas/analysis-reports/ar20-133k, https://www.us-cert.gov/ncas/analysis-reports/ar20-133l, https://www.us-cert.gov/ncas/analysis-reports/ar20-133n, https://www.us-cert.gov/ncas/analysis-reports/ar20-133o

CVE-2019-0604

Vulnerable Products: Microsoft SharePoint

Associated Malware: China Chopper

Mitigation: Update affected Microsoft products with the latest security patches

More Detail: https://nvd.nist.gov/vuln/detail/CVE-2019-0604

CVE-2017-0143

Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016

Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit

Mitigation: Update affected Microsoft products with the latest security patches

More Detail: https://nvd.nist.gov/vuln/detail/CVE-2017-0143

CVE-2018-4878

Vulnerable Products: Adobe Flash Player before 28.0.0.161

Associated Malware: DOGCALL

Mitigation: Update Adobe Flash Player installation to the latest version

More Detail: https://nvd.nist.gov/vuln/detail/CVE-2018-4878

IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133d

CVE-2017-8759

Vulnerable Products: Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7

Associated Malware: FINSPY, FinFisher, WingBird

Mitigation: Update affected Microsoft products with the latest security patches

More Detail: https://nvd.nist.gov/vuln/detail/CVE-2017-8759

IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133f

CVE-2015-1641

Vulnerable Products: Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1

Associated Malware: Toshliph, UWarrior

Mitigation: Update affected Microsoft products with the latest security patches

More Detail: https://nvd.nist.gov/vuln/detail/CVE-2015-1641

IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133m

CVE-2018-7600