You patched yet? Years-old Microsoft security holes still hot targets for cyber-crooks

It's generally accepted that security flaws in Microsoft's products are a top magnet for crooks and fraudsters: its sprawling empire of hardware and software is a target-rich ecosystem in that there is a wide range of bugs to exploit, and a huge number of vulnerable organizations and users.

And so we can believe it when Qualys yesterday said 15 of the 20 most-exploited software vulnerabilities it has observed are in Microsoft's code.

These are the vulnerabilities abused by miscreants to infect victims' systems with ransomware, alter or steal data, and remotely spread malware or takeover devices. Qualys's method for ranking these security holes took into account several factors, we're told, including the number of attackers known to exploit the vulnerability. 

Notably, older vulnerabilities were given less weight though that doesn't seem to have helped Microsoft's case. The No. 1 flaw on the list was patched in November 2017, a code execution hole in Microsoft Office's Equation Editor we'd have hoped had been mostly mitigated by now. Finally, more mature exploit code and inclusion in the US government's CISA list of top-exploited vulnerabilities will also boost a bug's rank on Qualys' index. Thus, be aware this list isn't just sorted by rate of exploitation; there are other points Qualys has considered.

Above all, it shows that Microsoft remains an attractive target for criminals and snoops, thanks to the decades-old IT giant's extensive user base.

"Ultimately, this boils down to return on investment from an attacker's perspective," Mehul Revankar, a product management veep at Qualys, told The Register. "Attackers are more likely to focus on Microsoft-based applications due to the larger number of vulnerable systems, increasing their chances of successfully exploiting and infiltrating organizations."

Microsoft declined to comment.

In addition to the Windows maker, other vendors on the top 20 list include Oracle with three heavily exploited bugs, and Linux, Jira Atlassian, Apache, Citrix, Ivanti, and Fortinet with one each.

6-year-old CVE still going strong

The No. 1 vulnerability is a six-year old memory corruption bug in Microsoft Office, tracked as CVE-2017-11882, has been exploited as recently as August 31, according to Qualys. 

"If the user has administrative rights, the attacker could gain complete control of the system, install programs, alter data, or create new user accounts with full privileges," wrote Ramesh Ramachandran, Qualys principal product manager for vulnerability management, detection and response, in revealing the top-20 list. 

"This vulnerability will be exploited if the user opens a specially crafted file, potentially sent via email or hosted on a compromised website."

Since it was fixed in 2017, the issue has been exploited by dozens of attackers and gangs, and used to deploy 467 malware variants and 14 types of ransomware, we're told. The vulnerability is primarily abused for espionage purposes and used to deploy data-stealing software. CISA included the bug in its Additional Routinely Exploited Vulnerabilities in 2022 list, and it topped the US-CERT's list of most-exploited flaws back in 2020. 

Last summer, Kaspersky researchers attributed attacks that abused this bug to Chinese cybercrime gang TA428. The cyberspies exploited CVE-2017-11882 to compromise more than a dozen organizations in several Eastern European countries, including Belarus, Russia, and Ukraine, and Afghanistan, installing backdoors and then stealing confidential data from military and industrial groups.

• Malware loader lowdown: The big 3 responsible for 80% of attacks so far this year
• Apple opens annual applications for free hackable iPhones
• Barracuda gateway attacks: How Chinese snoops keep a grip on victims' networks
• More Okta customers trapped in Scattered Spider's web

The No. 2 flaw, CVE-2017-0199, was also fixed back in 2017. It's a remote code execution vulnerability that affects specific Microsoft Office and WordPad versions when they parse specially crafted files. 

To exploit CVE-2017-0199, an attacker would have to trick a user into opening or previewing a malicious file — usually sent via a phishing email. And, again, it's worth noting that Redmond addressed the issue by, according to the software titan, "correcting the way that Microsoft Office and WordPad parses specially crafted files, and by enabling API functionality in Windows that Microsoft Office and WordPad will leverage to resolve the identified issue."

Over the years, it was exploited by 93 strains of malware, 53 attackers, and five ransomware families, according to Qualys, which adds that this vulnerability was "trending in the wild as recently as September 4."

Back to 2012

If the first two years-old security holes weren't bad enough, the third flaw on Qualys' list is a remote code execution vulnerability in Windows Common Controls that dates back to 2012. It's tracked as CVE-2012-0158.

An attacker would need to convince a user to visit a malicious website laced with code designed to exploit the vulnerability. Assuming a crook had success doing that — and, according to Qualys, 45 different attackers did — they could gain the same privileges as the logged-on user.

"If the user has administrative privileges, this could mean total control of the affected system," Ramachandran wrote. "This vulnerability has been notably exploited in various cyber-attacks, enabling attackers to install programs, manipulate data, or create new accounts with full user rights."

The No. 4 ranked vulnerability is yet another RCE bug in Microsoft Office and WordPad tracked as CVE-2017-8570. It requires an attacker to trick a user into opening a malicious file, and can be abused to download and run malware on victims' computers.

The full list of all 20 vulnerabilities can be found here. And in closing: please, people, update your software and install patches in a timely manner. Let's not keep making it any easier for criminals. ®