Qualys Blog

www.qualys.com
wkandek

Top 10 Vulnerabilities – February 2015

Last week we finished our analysis for the Top 10 most prevalent vulnerabilities for the trailing three months: November and December 2014 and January 2015. We perform this analysis periodically to provide the market an overview of one of the items in our Laws of Vulnerabilities Research: the Prevalence of Vulnerabilities.

You can use the data to enrich your own Vulnerability Management practice. We think it makes sense to take a look at the listed vulnerabilities and see how you compare.

External Vulnerabilities

Here is the list for the most detected vulnerabilities in external networks, which has some of the vulnerabilities that we blogged and talked about in the recent months, namely Heartbleed and other SSL issues:

Title QualysID Ext. Reference
OpenSSL Multiple Remote Security Vulnerabilities 38602 OpenSSL Security Advisory [05 Jun 2014]
Cisco IOS Malformed IPV4 Packet Denial of Service Vulnerability 43051 No Reference
Apache HTTP Server Multiple Cross-Site Scripting Vulnerabilities 12260 RHSA-2008-0004
SSL Server Allows Anonymous Authentication Vulnerability 38142 No Reference
OpenSSH Signal Handling Vulnerability 38560 No Reference
Microsoft ASP.NET Denial of Service Vulnerability (KB2659883 and MS11-100) 90764 KB2659883
SSH Protocol Version 1 Supported 38304 No Reference
Internet Information Services (IIS) Could Allow Elevation of Privilege (MS09-020) 86837 MS09-020
SSL Server Allows Cleartext Communication Vulnerability 38143 No Reference
OpenSSL Memory Leak Vulnerability (Heartbleed Bug) 42430 OpenSSL vulnerabilities

Internal Vulnerabilities

On the internal side the renewal rate is much quicker, but the categories remain the same: Internet Explorer, Adobe Flash and Reader, Windows OS and Microsoft Office are all pretty recent indicating that patching is taking care of older vulnerabilities. Java is the one that is a bit further behind, there have been already 2 major patch cycles since the July release that is the most prevalent indicating that most installations are 9 months behind. Fortunately Java has not had any major exploits in the last year, so keeping it so far behind might be an acceptable risk.

Title QualysID Ext. Reference
Microsoft Internet Explorer Cumulative Security Update (MS15-009) 100220 MS15-009
Oracle Java SE Critical Patch Update – July 2014 122362 Oracle Java SE CPU July 2014
Adobe Flash Player and AIR Multiple Vulnerabilities (APSB14-24) 122827 APSB14-024
Microsoft .Net Framework Elevation of Privilege Vulnerability (MS14-072) 90997 MS14-072
Microsoft Windows Network Location Awareness Service Security Bypass Vulnerability (MS15-005) 91007 MS15-005
Adobe Reader and Acrobat Multiple Vulnerabilities (APSB14-20) 122663 APSB14-20
Microsoft Windows Application Compatibility Cache Elevation of Privilege Vulnerability (MS15-001) 91005 MS15-001
Microsoft Windows Components Directory Traversal Information Disclosure Vulnerability (MS15-004) 91012 MS15-004
Microsoft Windows Kerberos Elevation of Privilege Vulnerability (MS14-068) 90998 MS14-068
Microsoft Word and Office Web Apps Remote Code Execution Vulnerability (MS14-081) 110244 MS14-081

Next we are planning to look at vulnerabilities that have known exploits to see if they are being addressed in any faster way, but most likely only after the next Patch Tuesday.

Stay tuned for further updates.

Leave a Reply