Microsoft vulnerabilities observed as the most heavily targeted attack vector of 2017
According to research, 7 of the 10 most exploited flaws of 2017 were Microsoft products, with two of these rated critical. This is a noticeable change from previous years where Adobe Flash was the most commonly compromised attack vector. There has also been a decrease in exploit kit development, down 62% in 2017. While this change may suggest Adobe Flash is less exploited and better protected than it was before, it gives troubling indications for Microsoft vulnerabilities. Not only does it make up most of the most popular vulnerabilities for threat actors, several of these flaws were not patched for several months despite the flaws being recognized and observed by Microsoft and several threat detection companies. Three of the vulnerabilities in the top 10 actually also appeared in the same list in 2016.
The 7 vulnerabilities that made the top 10 list specifically targeted Microsoft’s Windows, Office, Edge and Internet Explorer programmes. Furthermore, the two critical vulnerabilities were observed to allow threat actors to execute code directly onto a target machine as well as access, modify and delete data.
One of these critical vulnerabilities was CVE-2017-0199 which was identified and patched in April 2017, yet had already been in active exploitation for three months by this time indicating issues with poor reactive mitigation with Microsoft. The vulnerability allowed arbitrary code to be executed on a victim’s machine, giving a vast array of further attack vectors.
Furthermore, this vulnerability took advantage of the Object Linking and Embedding (OLE) feature to insert foreign files into a user’s system. This is a well-known attack vector, with OLE being used in almost every previous vulnerability relating to Microsoft Office. Microsoft spent several months investigating it, unaware it was in active exploitation.
The second most critical vulnerability, CVE-2017-0189 was an escalation of privilege flaw, allowing threat actors to make new user accounts with full user rights. Yet this vulnerability too was only patched after significant exploitation, with appearances in around a dozen exploit kits and builders. This again raises questions of Microsoft’s ability to patch issues before they become heavily exploited, and gives something to look out for over 2018.
Interestingly, the sophistication of browsers presently has helped in closing the scope of vulnerabilities. For example, the “click to play” setting in Chrome is enabled by default and has been seen to limit the ability and impact of many Adobe Flash Player related vulnerabilities. Users also visit sites with Flash less often, with this dropping from 80% of users per day in 2014, to 17% in 2017. This indicates that the rise of Microsoft products to the top spot may actually simply be as other vulnerabilities are being defended against more effectively as well as a proactive push from the industry to decrease reliance on Flash, the cause of so many problems, with it expected to reach its end of life by 2020.