Top 30 Targeted High Risk Vulnerabilities

TA15-119A: Top 30 Targeted High Risk Vulnerabilities Original release date: April 29, 2015 Systems Affected Systems running unpatched software from Adobe, Microsoft, Oracle, or OpenSSL. Overview Cyber threat actors continue to exploit unpatched software to conduct attacks against critical infrastructure organizations. As many as 85 percent of targeted attacks are preventable [1] . This Alert provides information on the 30 most commonly exploited vulnerabilities used in these attacks, along with prevention and mitigation recommendations. It is based on analysis completed by the Canadian Cyber Incident Response Centre (CCIRC) and was developed in collaboration with our partners from Canada, New Zealand, the United Kingdom, and the Australian Cyber Security Centre. Description Unpatched vulnerabilities allow malicious actors entry points into a network. A set of vulnerabilities are consistently targeted in observed attacks. Impact A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include: Temporary or permanent loss of sensitive or proprietary information, Disruption to regular operations, Financial losses relating to restoring systems and files, and Potential harm to an organization’s reputation. Solution Maintain up-to-date software The attack vectors frequently used by malicious actors such as email attachments, compromised “watering hole” websites, and other tools often rely on taking advantage of unpatched vulnerabilities found in widely used software applications. Patching is the process of repairing vulnerabilities found in these software components. It is necessary for all organizations to establish a strong ongoing patch management process to ensure the proper preventive measures are taken against potential threats. The longer a system remains unpatched, the longer it is vulnerable to being compromised. Once a patch has been publicly released, the underlying vulnerability can be reverse engineered by malicious actors in order to create an exploit. This process has been documented to take anywhere from 24-hours to four days. Timely patching is one of the lowest cost yet most effective steps an organization can take to minimize its exposure to the threats facing its network. Patch commonly exploited vulnerabilities Executives should ensure their organization’s information security professionals have patched the following software vulnerabilities. Please see patching information for version specifics. Microsoft CVE Affected Products Patching Information ​ CVE-2006-3227 ​Internet Explorer ​ Microsoft Malware Protection Encyclopedia Entry CVE-2008-2244 Office Word Microsoft Security Bulletin MS08-042 CVE-2009-3129 Office Office for Mac Open XML File Format Converter for Mac Office Excel Viewer Excel Office Compatibility Pack for Word, Excel, and PowerPoint Microsoft Security Bulletin MS09-067 ​CVE-2009-3674 ​Internet Explorer ​Microsoft Security Bulletin MS09-072 CVE-2010-0806​ ​Internet Explorer ​ Microsoft Security Bulletin MS10-018 CVE-2010-3333 Office Office for Mac Open XML File Format Converter for Mac Microsoft Security Bulletin MS10-087 CVE-2011-0101 Excel Microsoft Security Bulletin MS11-021 CVE-2012-0158 Office SQL Server BizTalk Server Commerce Server Visual FoxPro Visual Basic Microsoft Security Bulletin MS12-027 CVE-2012-1856 Office SQL Server Commerce Server Host Integration Server Visual FoxPro Visual Basic Microsoft Security Bulletin MS12-060 ​CVE-2012-4792 ​Internet Explorer ​Microsoft Security Bulletin MS13-008 CVE-2013-0074 ​ ​Silverlight and Developer Runtime ​ Microsoft Security Bulletin MS13-022 CVE-2013-1347 ​Internet Explorer ​ Microsoft Security Bulletin MS13-038 CVE-2014-0322​ ​​Internet Explorer ​ Microsoft Security Bulletin MS14-012 CVE-2014-1761 Microsoft Word Office Word Viewer Office Compatibility Pack Office for Mac Word Automation Services on SharePoint Server Office Web Apps Office Web Apps Server Microsoft Security Bulletin MS14-017 ​CVE-2014-1776 ​Internet Explorer ​ Microsoft Security Bulletin MS14-021 CVE-2014-4114 ​Windows ​ Microsoft Security Bulletin MS14-060 Oracle CVE Affected Products Patching Information CVE-2012-1723 Java Development Kit, SDK, and JRE Oracle Java SE Critical Patch Update Advisory - June 2012 CVE-2013-2465 Java Development Kit and JRE Oracle Java SE Critical Patch Update Advisory - June 2013 Adobe CVE Affected Products Patching Information ​CVE-2009-3953 Reader Acrobat ​ Adobe Security Bulletin APSB10-02​ ​CVE-2010-0188 ​Reader Acrobat ​ Adobe Security Bulletin APSB10-07 ​ CVE-2010-2883 Reader Acrobat ​ ​ Adobe Security Bulletin APSB10-21 ​ CVE-2011-0611 ​Flash Player AIR Reader Acrobat Adobe Security Bulletin APSB11-07 Adobe Security Bulletin APSB11-08​ ​CVE-2011-2462 Reader Acrobat ​ ​ Adobe Security Bulletin APSB11-30 ​CVE-2013-0625 ColdFusion​ ​ Adobe Security Bulletin APSB13-03 ​ CVE-2013-0632 ​ColdFusion ​ Adobe Security Bulletin APSB13-03 ​CVE-2013-2729 ​Reader Acrobat ​ Adobe Security Bulletin APSB13-15 ​CVE-2013-3336 ​ColdFusion ​ Adobe Security Bulletin APSB13-13 ​ CVE-2013-5326 ​ColdFusion ​ Adobe Security Bulletin APSB13-27 CVE-2014-0564 Flash Player AIR AIR SDK & Compiler Adobe Security Bulletin APSB14-22 OpenSSL CVE Affected Product Patching Information CVE-2014-0160 OpenSSL CERT Vulnerability Note VU#720951 Implement the following four mitigation strategies. As part of a comprehensive security strategy, network administrators should implement the following four mitigation strategies, which can help prevent targeted cyber attacks. Ranking Mitigation Strategy Rationale 1 Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software. 2 Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker. 3 Patch operating system