Exploring the Vulnerabilities with Most Associated Malware
William Grove Feb 24,2020
The recently-released Vulnerability and Threat Trends Report 2020 shone a light on a relatively underexposed trend by revealing the top ten vulnerabilities with most associated malware. These are flaws that are each used by around 50 types of malware. The most popular, CVE-2018-8174 or ‘Double Kill’, has astonishingly attracted a total of 62 associated malware modules.
All of these vulnerabilities either hold high- or critical-severity CVSS scores and share a few common characteristics – including remote code execution (RCE), memory corruption and privilege escalation capabilities – which make them incredibly attractive to attackers.
Although very few vulnerabilities are actually exploited in the wild (less than one percent will ever be actively exploited), it is still incredibly important for organizations to patch their most exposed vulnerabilities. Attackers are attaching multiple malware samples to individual vulnerabilities and when they attempt an exploit, they’re exploring a number of different avenues that will give them their desired outcome. Security teams need to understand the context – both internal and external – that surrounds each vulnerability. Each flaw has a unique story and profile within each security environment; if this isn’t understood, and if it isn’t appropriately acted upon, then organizations are leaving themselves vulnerable to attacks.
Top five vulnerabilities with most associated malware
When Double Kill came out, it was considered to be a methodological breakthrough because of its ability to hop from Microsoft Office into the Internet Explorer kernel – something that had not been seen in exploit code before. and fears of its potency have proven to be well-founded. A real zero-day in April 2018, it is the youngest vulnerability in the top ten and its inclusion in big-name exploit kits like Rig and Fallout has made it popular with criminals. Considering how dangerous this vulnerability is, it should not be a surprise that criminals have latched onto it: proof of how astute and flexible attackers can be when attaching their malware to powerful flaws.
First reported in 2016, this Adobe Flash vulnerability has become a magnet for malware owing to its RCE attributes. Adobe Flash has long been a favorite for criminals because it’s a popular product with a very poor update mechanism and is included in many standard and widely available, ready-to-use exploit kits.
This scripting engine memory corruption vulnerability, which allows remote attackers to execute arbitrary code via a crafted website, impacts Microsoft VBScript 5.7 and Jscript 5.7 engines, as used in Internet Explorer 9 through 11.
Another Adobe Flash vulnerability, this time a use-after-free flaw which, if exploited, could be used by attackers after having enticed users to open documents, web pages, or emails that contain corrupted Flash files.
This RCE vulnerability, first discovered in 2014, has gained traction because, if exploited, it allows attackers to execute remote code on Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1
The full top ten list of vulnerabilities with most associated malware can be found in the Vulnerability and Threat Trends Report 2020. Download your copy here.