Last week we finished our analysis for the Top 10 most prevalent vulnerabilities for the trailing three months: November and December 2014 and January 2015. We perform this analysis periodically to provide the market an overview of one of the items in our Laws of Vulnerabilities Research: the Prevalence of Vulnerabilities.
You can use the data to enrich your own Vulnerability Management practice. We think it makes sense to take a look at the listed vulnerabilities and see how you compare.
Here is the list for the most detected vulnerabilities in external networks, which has some of the vulnerabilities that we blogged and talked about in the recent months, namely Heartbleed and other SSL issues:
|OpenSSL Multiple Remote Security Vulnerabilities||38602||OpenSSL Security Advisory [05 Jun 2014]|
|Cisco IOS Malformed IPV4 Packet Denial of Service Vulnerability||43051||No Reference|
|Apache HTTP Server Multiple Cross-Site Scripting Vulnerabilities||12260||RHSA-2008-0004|
|SSL Server Allows Anonymous Authentication Vulnerability||38142||No Reference|
|OpenSSH Signal Handling Vulnerability||38560||No Reference|
|Microsoft ASP.NET Denial of Service Vulnerability (KB2659883 and MS11-100)||90764||KB2659883|
|SSH Protocol Version 1 Supported||38304||No Reference|
|Internet Information Services (IIS) Could Allow Elevation of Privilege (MS09-020)||86837||MS09-020|
|SSL Server Allows Cleartext Communication Vulnerability||38143||No Reference|
|OpenSSL Memory Leak Vulnerability (Heartbleed Bug)||42430||OpenSSL vulnerabilities|
On the internal side the renewal rate is much quicker, but the categories remain the same: Internet Explorer, Adobe Flash and Reader, Windows OS and Microsoft Office are all pretty recent indicating that patching is taking care of older vulnerabilities. Java is the one that is a bit further behind, there have been already 2 major patch cycles since the July release that is the most prevalent indicating that most installations are 9 months behind. Fortunately Java has not had any major exploits in the last year, so keeping it so far behind might be an acceptable risk.
|Microsoft Internet Explorer Cumulative Security Update (MS15-009)||100220||MS15-009|
|Oracle Java SE Critical Patch Update – July 2014||122362||Oracle Java SE CPU July 2014|
|Adobe Flash Player and AIR Multiple Vulnerabilities (APSB14-24)||122827||APSB14-024|
|Microsoft .Net Framework Elevation of Privilege Vulnerability (MS14-072)||90997||MS14-072|
|Microsoft Windows Network Location Awareness Service Security Bypass Vulnerability (MS15-005)||91007||MS15-005|
|Adobe Reader and Acrobat Multiple Vulnerabilities (APSB14-20)||122663||APSB14-20|
|Microsoft Windows Application Compatibility Cache Elevation of Privilege Vulnerability (MS15-001)||91005||MS15-001|
|Microsoft Windows Components Directory Traversal Information Disclosure Vulnerability (MS15-004)||91012||MS15-004|
|Microsoft Windows Kerberos Elevation of Privilege Vulnerability (MS14-068)||90998||MS14-068|
|Microsoft Word and Office Web Apps Remote Code Execution Vulnerability (MS14-081)||110244||MS14-081|
Next we are planning to look at vulnerabilities that have known exploits to see if they are being addressed in any faster way, but most likely only after the next Patch Tuesday.
Stay tuned for further updates.