Posted in Security

Top 10 most exploited software security holes hide in office documents

People who work with open source software tend to be concerned about vulnerabilities in WordPress, Java and other popular products, but criminals and spies who want direct access inside a business or government organization prefer exploiting security holes in office documents. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a top 10 list of the most exploited security problems in software from 2016 until 2019.

If someone wants to access computers and data inside an organization, and decided to hack his or her way in via office documents, what is the most popular product that almost everyone is using? Microsoft Office, and file formats that it uses.

In that sense it is not a surprise that security problems in Microsoft products dominate the most exploited top 10 list, but it is a surprise that patches for these widely known security holes have been available for a long time. Organizations that have been hacked just haven’t bothered to update their software products.

Top 10 security problems in software products by CISA

  1. A remote code execution vulnerability in Microsoft Office products is used to bypass security settings. The problem has been known since 2017. (CVE-2017-11882)
  2. Another remote code execution hole in Microsoft Office allows an attacker to run his own software (delivered in a document) on a user’s computer. It is used, for instance, by banking and spyware trojans such as Dridex. (CVE-2017-0199)
  3. A remote code execution problem in Apache Struts, exploited in the Equifax hack of 2017. Apache Struts is a framework for Java applications.(CVE-2017-5638)
  4. Eight years old problem in Windows ActiveX component hasn’t been updated on all computers, but can still be exploited, for instance, by the Dridex banking trojan. (CVE-2012-0158)
  5. Microsoft SharePoint, an intranet service platform, has a remote code execution vulnerability that was exploited in an attack to the United Nations infrastructure in Geneva in 2019. (CVE-2019-0604)
  6. A remote code execution hole in Microsoft SMB (file and printer sharing service within local office network) is so popular attack vector that it has been incorporated into the EternalSynergy and EternalBlue software kits available on the internet. (CVE-2017-0143)
  7. Fortunately, the use of Adobe Flash Player has been declining for a few years already, but since 2018 attackers have been and still are targeting a vulnerability in the software. (CVE-2018-4878)
  8. Microsoft .NET Framework has a remote code execution vulnerability that has allowed, for instance, FinFisher spyware to get in to office networks. (CVE-2017-8759)
  9. All organizations that use RTF document format beware: a security problem in Microsoft Office allows a hacker to run his own program that is distributed inside a RTF document. (CVE-2015-1641)
  10. Open source content management and publishing system Drupal has a core vulnerability that has been used to run cryptomining code Kitty. (CVE-2018-7600)

CISA also warns that in 2020, two new attack techniques are growing at an alarming rate:

  • VPN servers that haven’t been updated are a new target. Particularly, Citrix VPN appliances and Pulse Secure VPN servers are being attacked.
  • Microsoft Office 365 cloud services are a new frequently attacked target.

Via The Register.