Cybersecurity firm Tenable just released their Vulnerability Intelligence Report which outlines the most prevalent vulnerabilities in terms of enterprise security.
Apparently, Microsoft and Google’s software products are at the top of the list of security flaws that disrupt entire enterprise systems. Such vulnerabilities have the potential to wrack 20-30 percent of enterprises running unpatched software.
Vulnerability Intelligence Report: the Details
According to the report, Microsoft .Net and Microsoft Office, Adobe Flash, and Oracle’s Java carry the highest level of risk in terms of enterprise assets. Adobe Flash is to blame for half of the vulnerability-based enterprise threats, and Microsoft Office, in general, is accountable for 20 percent of security flaws. A distinction should be made about a particular vulnerability, CVE-2018-8202, which can affect up to 32 percent of enterprises.
The vulnerability was included in [wplinkpreview url=”https://sensorstechforum.com/july-2018-patch-tuesday-cve-2018-8281-microsoft-office/”]July 2018 Patch Tuesday, and is a privilege escalation bug in the .NET framework.
Another very threatening vulnerability is located in Google Chrome and is assigned the CVE-2018-6153 number. The issue is of the stack buffer overflow type and is caused by improper bounds checking by Skia.
The next on the list is CVE-2015-6136, a vulnerability in Microsoft IE which was discovered in 2015. CVE-2015-6136 can impact 28 percent of enterprises. Here’s its official description:
The Microsoft (1) VBScript 5.7 and 5.8 and (2) JScript 5.7 and 5.8 engines, as used in Internet Explorer 8 through 11 and other products, allow remote attackers to execute arbitrary code via a crafted web site, aka “Scripting Engine Memory Corruption Vulnerability.”
The fourth vulnerability in terms of impact on enterprises is CVE-2018-2938:
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Java DB). Supported versions that are affected are Java SE: 6u191, 7u181 and 8u172. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE.
It should also be noted that, while the flaw in Java SE, additional products may also be affected. Successful attacks of this vulnerability can result in takeover of Java SE.
Then comes CVE-2018-1039, a Microsoft enterprise vulnerability in the .NET framework that leads to bypass of device guard functionality.
The rest of the vulnerabilities also have an impact on enterprises. Some of them are not assigned CVE numbers, like the SSL flaw which is in 6th position:
SSL Version 2 and 3 Protocol Detection. The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are affected by several cryptographic flaws, including an insecure padding scheme with CBC ciphers and insecure session renegotiation and resumption schemes.
The rest of the flaws selected by Tenable are:
CVE-2018-6130 in Google Chrome, which is an out-of-bounds memory access bug in WebRTC.
CVE-2018-8242 in Microsoft IE, which is a remote code execution vulnerability existing in the way the scripting engine handles objects in memory in the browser.
CVE-2018-5007 in Adobe Flash Player, which is a type confusion vulnerability in versions of the software 184.108.40.206 and earlier. It can also lead to the execution of arbitrary code.
CVE-2018-8249, CVE-2018-0978 in Microsoft IE, which is a remote code execution bug caused by improper object access.
CVE-2018-8310 in Microsoft Office, which is a tampering vulnerability that appears when Microsoft Outlook does not properly handle specific attachment types when rendering HTML emails.
CVE-2018-5002 in Adobe Flash Player, which impacts versions of the software 220.127.116.11 and earlier. It is a stack buffer overflow flaw that leads to the execution of arbitrary code in the context of the current user.
CVE-2018-8178 in Microsoft browsers, which is a remote code execution vulnerability.
CVE-2018-2814 in Oracle Java, which is a flaw in the Java SE embedded component of Oracle Java SE which can result in a complete takeover by attackers.
CVE-2018-5008 in Adobe Flash Player, which affects versions 18.104.22.168 and earlier. It is an out-of-bounds read security vulnerability that can result in information disclosure.
CVE-2017-11215 in Adobe Flash Player, affecting software versions 22.214.171.124 and earlier. A use-after-free flaw in the Primetime SDK which could lead to code corruption, control-flow hijack or an information leak.
An unassigned vulnerability in Mozilla, which affects legacy Mozilla applications, such as outdated versions of Firefox, Thunderbird and SeaMonkey. These products may contain security flaws as no more security updates are available.
CVE-2015-0008 in MFC library in Microsoft Visual Studio .NET, which is an untrusted search path vulnerability which can be exploited by attackers to gain local privileges.
CVE-2018-4944 in Adobe Flash versions 126.96.36.199 and earlier. These versions contain a type confusion bug that can lead to the execution of arbitrary code.