The weaponization of common vulnerabilities found in pervasive systems is happening more often and faster than in the past, according to a RiskSense report published April 23. In the study, RiskSense reports a steep uptick in the number of weaponized exploits against flaws in the Adobe family of products, even as the number of actual vulnerabilities declined.
For example, in the RiskSense report, which examines 22 years of CVE data on nearly 3,000 vulnerabilities against Adobe products, weaponized vulnerabilities against the Adobe family of products rose 139% between 2017 and 2018. This is despite a 31% decrease in vulnerabilities over that same time frame.
Other ubiquitous systems are also targets of weaponization. For example, in July of 2018, Bleeping Computer reported the weaponization of a shortcut vulnerability in Microsoft Windows SetttingContent-ms files to execute code (in this case a RAT, or remote access Trojan) on a Windows 10 OS.
The article at Bleeping Computer, as well as the RiskSense study, also report that weaponized vulnerability exploit kits are usually available and in use long before patches are available.
This gap between availability of exploit versus availability of patch for the vulnerability being exploited creates a window of opportunity that organizations should be concerned with. Yet, according to the just-published SANS survey on vulnerability management, only 50% of respondents scanned systems for vulnerabilities as frequently as a week or less; the majority (57%) only patched on a monthly basis.
"Continuous scanning has been a very contentious issue," says David Hoelzer, SANS fellow and instructor who advised on the 2019 SANS survey. "Because it is a core component in vulnerability management, it is important that organizations scan frequently enough to ensure security without overwhelming analysts. Automation is key to that mission."
In the RiskSense report, the most common overall successfully weaponized vulnerability was the buffer overflow. The Adobe Acrobat and Flash products were particularly exploited through memory mismanagement weaknesses, which led to 983 unique vulnerability-exploit pairs and 1,047 unique vulnerability-malware pairs.
For a great read on how to build a stronger, more mature vulnerability management program based on real risks (not perceived risk), read our new whitepaper by SANS instructor Jake Williams here. (Registration required.)