hp-security-research-cyber-risk-report-pdf-2-w-1408

HP Security Research | Cyber Risk Report 2015Top CVE numbers seen in 2014Although we have seen over 30 CVE-2014 exploits used by malware, the majority of exploitsdiscovered by our teams attempt to exploit older vulnerabilities. By far the most commonexploit is CVE-2010-2568, 69 which roughly accounts for a third of all discovered exploitsamples. This vulnerability in shell32.dll allows the attacker to plant a specially crafted .PIFor .LNK file, which triggers the vulnerability when a user browses the content of the foldercontaining the malicious files. The exploit was used as one of the infection vectors for Stuxnetand quickly gained popularity in the world of malware writers.Figure 2. Top exploit samples in 2014; note CVE numbers, which are a useful guide to when the vulnerability was first reportedCVE-2010-2568 Microsoft Windows 33%CVE-2010-0188 Adobe Reader and Acrobat®11%CVE-2013-0422 Oracle Java9%CVE-2012-1723 Oracle Java7%CVE-2012-0507 Oracle JavaCVE-2012-0158 Microsoft OfficeCVE-2013-2465 Oracle JavaCVE-2012-4681 Oracle JavaCVE-2013-2423 Oracle JavaCVE-2009-3129 Microsoft Office4%4%3%3%2%2%Others22%0% 5% 10% 15% 20% 25% 30% 35% 40%In fact, CVE-2010-2568 is the only exploit for which the number of discovered samples grewmonth over month throughout the year.The breakdown of the top 10 overall exploit samples discovered this year is quite differentcompared to only CVE-2014 exploit samples. Oracle Java holds the top place in terms ofnumbers with six exploits in the top 10, accounting for 29 percent of all discovered samples,with CVE-2013-0422 69 being the most popular of Java exploits. These are followed by thealready mentioned CVE-2010-2568 targeting Windows; CVE-2010-0188, 70 which targets AdobeReader, accounting for 11 percent of samples; CVE-2012-0158 71 targeting Microsoft Office with4 percent of samples; and CVE-2009-3129 72 targeting Microsoft Excel®, with less than 2 percentof all exploit samples discovered in 2014.68https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568.69https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422.70https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188.71https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158.72https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3129.73http://www.microsoft.com/en-us/windows/enterprise/end-of-support.aspx.74https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271.75http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4787.The discovered exploit samples indicate that there is still a significant percentage of Windowsusers who do not regularly update their systems with security patches. This issue may havebeen exacerbated by Microsoft ending support for Windows XP security updates in April 73 formost users (and not counting the emergency MS14-021 patch released in late April).Looking at the operating systems targeted by exploits, it is obvious that attackers are stillconcentrating on Windows, despite high-profile vulnerabilities in other technologies, such asCVE-2014-6271 74 (Shellshock), that were discovered in 2014.The most common exploit encountered for non-Windows operating systems targeted CVE-2013-4787, 75 also known as the Android Master Key vulnerability. Samples targeting thisvulnerability accounted for a little over one percent of all exploit samples.20