Microsoft products targeted by most widely-used exploits in 2019

Eight of the top ten exploitable flaws targeted Microsoft software, in addition to two Adobe Flash Player vulnerabilities

Eight of the top ten most commonly exploited vulnerabilities used by cyber criminals last year comprised software developed by Microsoft, namely the Microsoft Office suite, WinRAR and Internet Explorer. 

Microsoft products were the most-targeted exploits by the criminal underworld in 2019 through phishing, exploit kits or remote access trojans (RATs), with two flaws in Adobe’s Flash Player making up the full complement. 

Staggeringly, six of the vulnerabilities, all impacting Microsoft, were repeats from 2018’s list of most-exploited flaws, according to a report by Recorded Future.

Four of the ten flaws alone affected Internet Explorer, suggesting that the legacy internet browser is still widely-deployed among organisations, with the remaining vulnerabilities comprising three for Office and one for WinRAR.

Advertisement - Article continues below
Advertisement - Article continues below

“Despite experiencing a drop in browser usage, Internet Explorer is still running in many enterprise environments, making it a top target for threat actors,” the report said. “Only two Adobe Flash vulnerabilities made the top 10, likely due to a combination of better patching and Flash Player’s impending demise in 2020.”

“Many vulnerability and patch management teams face the challenge of keeping up with countless product patch updates without having visibility into which vulnerabilities are actively exploited by cybercriminals.”

Despite there being more than 12,000 vulnerabilities with a CVE rating in 2019, this is fewer than in the 2018 calendar year, when there were 16,000 reported vulnerabilities. More than 1,000 of the 12,000 vulnerabilities recorded last year were prescribed a CVSS score of nine or higher, deeming them ‘critical’.

Moreover, the number of new exploit kits continued to decrease in 2019 versus the previous year, dropping from five to four. This trend was also true for RATs, with 23 new Trojans developed last year versus 37 in 2018.

Many of the top-ten exploited vulnerabilities for 2019 were flaws that were identified a number of years ago, including 9.3 CVSS-rated Office flaw CVE-2017-11882, and the 9.3 CVSS-rated Office flaw CVE-2012-0158.

Notably, the flaw CVE-2017-0199, which was also an Office flaw rated 9.3 in severity, was highlighted as one of the most exploited vulnerabilities for the past three consecutive years. This was targeted by several strains malware ranging from njRAT, to Pony, to QuasarRAT.

Advertisement - Article continues below

Two prominent vulnerabilities from 2019, namely EternalBlue and EternalRomance, were not included in the top ten due to adoption by nation-state hackers as opposed to run-of-the-mill cyber criminals.

Related Resource

Report: The State of Software Security

This annual report explores important trends in software security

Download now

Despite the prominence of Microsoft software targeted last year, the most widely-exploited was an Adobe Flash bug, dubbed CVE-2018-15982, which is a use-after-free vulnerability, meaning that memory can be accessed after it has been freed.

The researchers behind the report have taken this opportunity to urge organisations to prioritise patching Microsoft products in their respective technology stacks, over unpatched systems by other vendors.

Flash Player, meanwhile, should be automatically disabled on employees’ browser settings, with sites increasingly removing this technology ahead of Adobe dropping support for the video player on 31 December 2020.

With the average vulnerability staying alive for seven years, the researchers added, it’s important that organisations patch older vulnerabilities with just as much urgency as freshly exploited flaws.

Featured Resources

Digital Risk Report 2020

A global view into the impact of digital transformation on risk and security management

Download now

6 ways your business could suffer if you don’t backup Office 365

Office 365 makes it easy to lose valuable data regularly, unpredictably, unintentionally, and for good

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now

8 digital best practices for IT professionals

Don't leave anything to chance when going digital

Download now

Most Popular


How to use Chromecast without Wi-Fi

5 Feb 2020
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020

The top ten password-cracking techniques used by hackers

10 Feb 2020

Microsoft to add Defender antivirus software to Linux, iOS and Android

21 Feb 2020