For the last several years, Adobe’s Flash Player has topped the list, but this year they have been dethroned. Microsoft now has the embarrassing honor. There are multiple Microsoft programs on this year’s list, with some of them having exploits that date back more than a decade.
It’s a shameful honor to say the least, and even worse, in this year’s report, Microsoft captured seven of the top ten places.
The most often abused security flaw this year was CVE 2017-0199. Found in a variety of Microsoft Office products, the flaw allows a hacker to embed and execute VBS (Visual Basic Scripts) that contain Powershell commands into an Office document. Recorded Future has found exploit kits for sale on the Dark Web that automate the process going for between $400 and $800.
Hot on the heels of the #1 entry is CVE 2016-0189, which is one of a whole raft of Internet Explorer vulnerabilities that allow hackers to take unfettered control of a victim’s PC, laptop, or smartphone. It is one of the reasons Microsoft has moved away from IE in preference for Microsoft Edge.
Despite this dismaying news, Recorded Future notes that attacks via exploit kit are down significantly, with a staggering 62 percent drop in new variants.
The report’s author, Scott Donnelly, had this to say:
“The observed drop in exploit kit activity overlaps with the rapid decline of Flash Player usage. Users have shifted to more secure browsers and attackers have shifted as well. Spikes in cryptocurrency mining malware and more targeted victim attacks have filled the void.”
Despite the shifting landscape, the central lesson is clear. Hackers tend to take advantage of known exploits. Companies that keep their software properly patched dramatically reduce their chances of being targeted.