Security Prioritization - Microsoft flaws used in three quarters of all exploits

Cybersecurity company Qualys has conducted an analysis of the top 20 vulnerabilities that have been consistently exploited by threat actors, malware, and ransomware groups in recent years. Not too surprisingly, that 15 of these vulnerabilities are associated with Microsoft products.

Just looking at the top 5 most targeted vulnerabilities provides a great list of prioties of every security team. What's terrifying is that some of these vulnerabilities are from 2017 - which indicates a dissapointing discipline in patching of Microsoft endpoint products:

1. Microsoft Office memory corruption vulnerability (CVE-2017-11882): This vulnerability, included in CISA's "Additional Routinely Exploited Vulnerabilities in 2022" list, was exploited by 467 instances of malware, 53 different threat actors, and 14 ransomware attacks. It allows significant memory corruption in Microsoft Office's Equation Editor, potentially leading to arbitrary code execution and even a full system takeover.
2. Microsoft WordPad remote code execution (RCE) vulnerability (CVE-2017-0199): Exploited by 93 malware instances, 53 threat actors, and 5 ransomware attacks, this flaw affects specific Microsoft Office and WordPad versions. Successful exploitation permits arbitrary code execution within the user's security context.
3. Vulnerability in Windows common controls (CVE-2012-0158): This vulnerability, exploited by 63 malware, 45 threat actors, and 2 ransomware attacks, allows remote code execution by manipulating Windows standard controls through a specially crafted webpage.
4. Microsoft Office RCE vulnerability (CVE-2017-8570): Exploited by 52 malware instances and 11 threat actors, this flaw in Microsoft Office and WordPad enables arbitrary code execution with the same privileges as the logged-in user.
5. Zerologon (CVE-2020-1472): Also known as Zerologon, this vulnerability in Microsoft's Netlogon Remote Protocol was exploited by 18 malware, 16 threat actors, and 11 ransomware attacks. It could potentially enable an attacker to impersonate a server and compromise the entire Windows domain, gaining control over all Active Directory identity services.

Additionally, the list includes other Microsoft-related vulnerabilities, such as those related to WannaCry, Petya, Microsoft Exchange server, Windows VBScript Engine, Microsoft Silverlight, and Microsoft Exchange server authentication bypass/RCE.

The list of the top 20 most exploited vulnerabilities also encompasses issues related to Apache's log4j Java library (Log4Shell), Oracle, Unix/Linux, Jira Atlassian, Citrix, Ivanti, and Fortinet. Log4Shell, for example, was exploited by 10 malware instances, 26 threat actors, and 5 ransomware attacks.