martes, 27 septiembre 2022
Visitas totales a la web: 87906526

El portal de los profesionales de seguridad y emergencias

Nº 1 del mundo en español en seguridad global

Soluciones de seguridad global

The Ancient Microsoft Security Flaws Driving Cybercrime In 2020

Davey Winder. Senior Contributor

A brand-new IBM Security «X-Force Threat Intelligence Index» report was published today and reveals some very old Microsoft vulnerabilities are still causing very real problems.

There was some good news to be found within the pages of the latest threat intelligence report from the IBM Security X-Force. Namely that phishing was used as a successful initial infection vector in just 31% of incidents analyzed. That is compared to half in the previous year. While it would be nice to lay this firmly at the feet of cyber-awareness initiatives working as they should, I’m afraid that’s not the case. Indeed, the bitter pill you need to swallow when reading the report is that twice as many initial infections (60%) of victim networks used either stolen credential reuse or known software vulnerabilities. Although deception certainly isn’t dead, cybercriminals aren’t exactly known for their work ethic: the simplest way to nefarious profit will always be route one. Increasingly, IBM’s X-Force report suggests, previously disclosed vulnerabilities are a contributing factor. With more than 150,000 vulnerabilities disclosed to date, the researchers found that vulnerability scanning and exploitation resulted in 8% of incidents during 2018, rising to 30% in 2019. But that’s not the real shocker: older, already well-known, vulnerabilities in Microsoft Office and Windows Server Message Block accounted for «high rates of exploitation» in 2019.

90% of one threat vector driven by just two old Microsoft vulnerabilities

So, just how old is «old» in the context of these Microsoft vulnerabilities? Well, the IBM X-Force analysis of global spam activity, often used as part of the attack chain, found that just two patched vulnerabilities accounted for nearly 90% of those that threat actors attempted to exploit via these campaigns. CVE-2017-0199, a Microsoft Word exploit, dates back to November 2016 as far as exploits are concerned, with a Microsoft patch available from April 2017. That’s pretty old, huh? Not as old as the other vulnerability, CVE-2017-11882, a memory corruption issue in Microsoft Office that apparently has roots that can be traced back nearly twenty years.

«While sophisticated adversaries may develop zero-day exploits,» the report states, «relying on known exploits occurs more frequently as such exploits allow adversaries to gain an initial foothold without having to expend resources to craft new tactics, techniques and procedures (TTPs), saving their best weapons for the most heavily defended networks.» You only have to look to the WannaCry infection, MS17-010, instances of which are still being seen more than two years after the patch became available.

To patch or not to patch? That is the question

This leads to the question of whether it’s a won’t patch or can’t patch situation that is the problem here. I put that precise question, as well as one asking what it will take to burst the unpatched old vulnerabilities bubble, to members of the Beer Farmers information security collective.

Sean Wright, OWASP Scotland chapter leader, agrees with the X-Force report conclusion attackers tend to focus on known vulnerabilities. «A saying comes to mind from the attacker’s perspective, namely if it ain’t broke don’t fix it,» Wright says, «if old exploits work, then attackers don’t need to invest additional time and resources to create something new.» Application security specialist, Mike Thompson, tells me that he «knows for a fact,» that many hospitals are still running equipment using Windows XP, for example. «Why use a fresh exploit,» Thompson says, «when there’s still an unhealthy footprint like that kicking around?»

Within the SME space, there are plenty such cases of legacy applications integrating with old versions of Microsoft Office, says Ian Thornton-Trump, CISO at threat intelligence company Cyjax. «You think that an integrated app could support the latest versions of Office?» he says, «not a chance.» Many of the line of business client-server apps found in professional services firms date back to the early 2000s, meaning that «patching them may put at risk a critical billing, ERP, CRM or record system,» according to Thornton-Trump. «The business probably has looked at upgrading that legacy app and balked or rejected the upgrade cost outright,» he says, «that’s the primary reason I believe so much old on-premises SQL, SharePoint, and Exchange is still out there. If it works and makes money for the firm, why upgrade it?»

So how can this problem ever be resolved? «The biggest improvement to technical security an organization can make is to remove technological debt for hardware and software,» Thornton-Trump concludes. I won’t repeat just how easy it is to discover the system admin password for a SQL database using many apps from 15 years ago, with the method that Thornton-Trump showed me, but he’s certainly not the only one to know it works…

Fecha de publicaciónfebrero 11, 2020

BELT.ES no se hace responsable de las opiniones de los artículos reproducidos en nuestra Revista de Prensa, ni hace necesariamente suyas las opiniones y criterios expresados. La difusión de la información reproducida se realiza sin fines comerciales. 

Listado de Expertos


Profesión militar: Obediencia debida frente a la obligación de disentir

Con ocasión de la realización de estudios en el Instituto Universitario Gutiérrez Mellado tuve la ocasión de leer y analizar una serie de documentos de opinión que trataban en profundidad las diferentes facetas presentes en el campo de las relaciones cívico-militares; temas que , habitualmente, no han estado presentes en los diferentes cursos y actividades formativas en la enseñanza militar, ni, por supuesto, en la civil.

El amor de Macarena Olona por la Guardia Civil empieza por su pareja, un joven oficial condecorado

El padre de su hijo llegó a la Benemérita como militar de carrera y, los que le...

La artillería ‘made in USA’ comprada por Marruecos que deja fuera de juego a España

El país magrebí sigue reforzando sus fuerzas armadas a golpe de talonario, y no lo hace de...

Últimas noticias

Pilar Montero del grupo de emergencias en Patrimonio (UCM): «El terremoto de Lorca lo cambió todo»

La directora del grupo de investigación de Gestión de Riesgos y Emergencias en Patrimonio Cultural (GREPAC)...

La actriz de Hollywood que logró uno de los inventos militares más importantes del siglo XX

Hedy Lamarr pasó de huir del fascismo que se propagaba por Europa en los años treinta a enfrentarse directamente a él, creando...


El 19 de septiembre de 2022, ha sido un día que pasará a la historia del Reino Unido y la del resto del mundo. En ese día se ha producido el entierro de la reina Isabel II de Inglaterra tras su fallecimiento el día 8 de septiembre en el castillo de Balmoral (Escocia).

El pulso electromagnético, el arma que puede hacer retroceder a una ciudad al siglo XIX

Estados Unidos, Rusia y China trabajan en sus propios proyectos. El Pentágono cree que Irán y Corea del Norte también lo hacen.

Así se gestó un ‘atraco virtual’ de 240.000 euros a través de Bizum

Más de un centenar de personas participó en un entramado para desvalijar la cuenta corriente de una anciana tras detectar una debilidad...