What is old may not always be new, but when it comes to hacking, it’s still effective.
According to the latest edition of Hewlett-Packard’s Cyber Risk Report, 44 percent of known breaches in 2014 came from vulnerabilities that were between two and four years old. While more than 30 CVE-2014 exploits were spotted by HP being used by malware, the majority of the exploits found by their security team attempted to exploit older vulnerabilities.
By far the most common exploits targeted CVE-2010-2568, which accounted for roughly a third of all discovered exploit samples. The Microsoft Windows vulnerability was one of the infection vectors for Stuxnet and quickly became a popular weapon for malware writers.
Other popular vulnerabilities included CVE-2010-0188 Adobe Reader and Acrobat (11 percent) and CVE-2013-0422 Oracle Java (9 percent). Rounding out the top five are CVE-2012-1723 and CVE-2012-0507, which both impact Oracle Java and accounted for seven and four percent of the exploit samples found by HP, respectively. Of the top 10, three were Microsoft vulnerabilities and six were tied to Oracle Java.
“Many vulnerabilities exploited in 2014 took advantage of code written many years ago—some are even decades old,” the report noted. “Adversaries continue to leverage these classic avenues for attack. Exploitation of widely deployed client-side and server-side applications are still commonplace. These attacks are even more prevalent in poorly coded middleware applications, such as software as a service (SaaS). While newer exploits may have garnered more attention in the press, attacks from years gone by still pose a significant threat to enterprise security.”
The most targeted 2014 CVE was CVE-2014-0322, a vulnerability in Microsoft Internet Explorer.
HP cited web server misconfiguration as a major challenge for organizations during 2014 as well. For mobile applications, web server misconfiguration leading to information disclosure was linked to 33 percent of mobile app vulnerabilities. For Web applications, misconfigurations leading to unprotected files and unprotected directories were the second and fourth most common vulnerabilities, respectively.
“Our findings show that access to unnecessary files and directories seems to dominate the misconfiguration related issues,” according to the report. “The information disclosed to attackers through these misconfigurations provides additional avenues of attack and allows attackers the knowledge needed to ensure their other methods of attack succeed. Regular penetration testing and verification of configurations by internal and external entities can identify configuration errors before attackers exploit them.”
“Many of the biggest security risks are issues we’ve known about for decades, leaving organizations unnecessarily exposed,” said Art Gilliland, senior vice president and general manager of Enterprise Security Products at HP, in a statement. “We can’t lose sight of defending against these known vulnerabilities by entrusting security to the next silver bullet technology; rather, organizations must employ fundamental security tactics to address known vulnerabilities and in turn, eliminate significant amounts of risk.”