Long-lived vulnerabilities in Microsoft products

Last week, Kaspersky Lab specialists published

report

on the evolution of software vulnerabilities in the second quarter of 2024. The report is based on statistics from external sources and the company's own data. Of particular interest is the statistics on vulnerabilities that real malware tries to exploit. Judging by this data, cybercriminals are quite actively exploiting stale problems in popular software. In particular, users of computers running Windows most often encounter exploits targeting vulnerabilities discovered and closed three to seven years ago. Exploits for Linux are more often targeted at more recent vulnerabilities in the OS kernel.

The statistics on frequently exploited vulnerabilities in targeted attacks aimed at businesses show a completely opposite picture. In this case, the TOP 10 vulnerabilities include many more recently discovered problems, including, for example, a vulnerability in the Ivanti Connect Secure VPN server. In addition to the general statistics, the authors of the report also selected the three most “interesting” vulnerabilities among those discovered in the second quarter of 2024.

The authors of the report calculate the total number of vulnerabilities detected based on the database

CVE

. In total, 8,559 vulnerabilities were published there in the second quarter. This is not the final figure, as the data in this database is often updated retroactively. This is slightly more than the figures for the second quarter of last year: the number of vulnerabilities, information about which becomes public, continues to grow. Of the total number of vulnerabilities, 332 are critical. Based on incomplete statistics for the first half of 2024, we can also conclude that the proportion of bugs for which a public exploit or Proof of Concept is available has decreased. However, the number of incidents in which vulnerable legitimate drivers for software are used has increased.

Of greatest interest is the “hit parade” of the most frequently used vulnerabilities. For Windows, the top four look like this:

  • CVE-2018-0802 – Vulnerability in the Equation Editor component of Microsoft Office
  • CVE-2017-11882 – Another vulnerability in Equation Editor
  • CVE-2017-0199 – Vulnerability in Microsoft Office and WordPad
  • CVE-2021-40444 – Remote Code Execution Vulnerability in MSHTML Component

The second quarter of 2024 also saw a significant increase in attacks on Linux-based users using exploits for common vulnerabilities. Among the most frequently exploited bugs, two (CVE-2022-0847, CVE-2023-2640) relate to the system kernel. Another vulnerability (CVE-2021-4034) relates to the pkexec utility, which allows commands to be executed on behalf of another user.

While “user” malware exploits the same vulnerabilities for years, attacks on businesses more often use exploits for recently discovered problems in corporate software. The TOP 10 most frequently exploited problems also include long-lived ones, such as the CVE-2017-11882 vulnerability in Microsoft Office 2007. But there are also exploits for problems discovered in 2024: CVE-2024-3400 for Palo Alto Networks software, CVE-2024-20353 for Cisco solutions, CVE-2024-1709 in ConnectWise IT management software, as well as the well-known vulnerability CVE-2024-21887 in the Ivanti Connect Secure VPN server. Attackers who attack companies primarily look for vulnerable entry points into the corporate network and regularly update the set of tools they use.

Finally, Kaspersky Lab researchers selected three “outstanding” vulnerabilities discovered in the second quarter of 2024. This is a zero-day issue CVE-2024-26169 in the WerKernel.sys driver for Windows, discovered during the investigation of a cyberattack. Any user can use an error in this driver to add keys to the registry. And this can lead to the launch of malware with the highest privileges after a reboot. The vulnerability CVE-2024-26229 in the csc.sys driver stands out for its ease of exploitation: a public exploit for it appeared just a few days after the publication of data on the problem. The authors of the report also highlighted the vulnerability CVE-2024-4577 in PHP CGI. The problem allows arbitrary code to be executed and occurs as a result of incorrect processing of incoming data. It is noteworthy that it only works in hieroglyphic languages, more precisely, it is relevant for systems using Chinese or Japanese.

What else happened?

Another one publication Kaspersky Lab specialists describe methods for testing z/OS-based mainframes for security.

Configuration error on FlightAware website brought to the fact that user data has been publicly available for at least the last three years. Social Security numbers and the last four digits of credit card numbers were available to anyone who wanted to see them. It is not yet clear, however, whether anyone took advantage of this configuration error.

In Google Chrome browser closed The ninth zero-day vulnerability this year.

ESET Company in detail tells about a fraudulent campaign aimed at stealing money from victims' bank accounts. Via phishing SMS, users were sent malware for Android, supposedly needed to “protect a bank account.” Through the app, the attackers stole access data for bank accounts. The most interesting feature of this malware was the use of a tool for sending NFC tag data to another device. This additional functionality was most likely aimed at stealing money directly from a payment card, if the victim was persuaded to put it to the phone. However, at best, this method allowed for small withdrawals.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *