With the New Year celebrations safely behind us, it’s time to look forward and plan for 2015. Before we can do that, however, we need to spend a few minutes to remember the vulnerabilities of 2014 and what we can take away from these.
Every year there are several zero-days and tons of undisclosed vulnerabilities fixed by software vendors. This year was a little different:
- The total number of disclosed vulnerabilities per year almost hit 10,000. Because of this, the maintainers of the CVE database announced that the CVE syntax would be modified, which now allows up to 10 million vulnerabilities to be assigned identifiers annually.
- Major “named” vulnerabilities like Heartbleed, Shellshock, Poodle, and WinShock were disclosed and became widely known within the security industry. These vulnerabilities were notable for their severe impact, widespread attack surface, and difficulty in patching.
- There was an increase in amplification distributed denial-of-service (DDoS) attacks. These attacks are used to create high volumes of traffic used in denial of service attacks. It exploits weakness in network protocols to “elicit” large volumes of response packets which can be “redirected” to a victim to cause denial of service against them.
- Some good news – there were no Java zero-days in 2014! However, that doesn’t mean that Java vulnerabilities weren’t exploited. They are still being actively exploited by exploit kits. Users still running older versions of Java should upgrade.
- For Adobe products, it was a mixed story. Overall, the number of vulnerabilities in Adobe products declined from 2013. However, the number of vulnerabilities in Adobe Flash went up from 56 to 76. Vulnerabilities in Acrobat/Reader went down by almost 30%.
Figure 1. Number of vulnerabilities in Flash Player and Acrobat/Reader
- There were a lot of vulnerabilities found in OpenSSL, not just Heartbleed. In 2014, 24 vulnerabilities were found – which equaled the number from the previous three years combined.
With the above events in mind, what should be some of our key takeaways from all this?
- Even old applications can still have uncovered vulnerabilities, as we saw with Heartbleed and Shellshock.
- Open source software is said to be inherently more secure, as it goes through more reviewers (and thus, more opportunities for any vulnerabilities to be spotted). However, that is not necessarily the case, as OpenSSL and Bash showed.
- The CVSS score is not a be-all-and-end-all for vulnerability severity. After all, Heartbleed only received a CVSS score of 5.0! Assess the impact of vulnerabilities depending on your organization’s situation and applications. Add salt to the (CVSS) score!
- Upgrade older versions as soon as possible. Patch as soon as your situation allows it.
- Continuously review your security posture and plan your investments in information security tools and practices accordingly. Employee coaching is a key step in securing a company’s information. At the same time, ensure that you make the best use of your security solutions – e.g. by configuring them properly, tuning them to your requirements etc.
- Implement a lowest privilege access policy. Many exploits today obtain the privileges of the logged in user; a lowest privilege access policy would help mitigate the damage from these exploits.
There were some other things in 2014 that were not unexpected, but still significant.
- There were eight zero-days in Internet Explorer and four in Adobe Acrobat/Reader. There are alternative browsers and PDF readers available; consider your options.
- For web servers, zero-days were found in both Apache Struts and WordPress (as well as WordPress plugins). Aside from server software, plugins that are added at a later time should be considered a possible source of risk as well.
- Trend Micro was also able to discover and report to vendors up to 19 critical vulnerabilities in 2014 (see below for complete list).
No matter how many zero-days or Heartbleed/Shellshock-type vulnerabilities we may see, we should never forget that the fundamental vulnerabilities in web applications such as SQL Injection, Cross Site Scripting (XSS), broken authentication etc. are still very prevalent. They are, quite often, the reason behind the big data breaches that occur.
Also, we should never forget the best practices on controlling access to data, encrypting it as much as we can, ensuring right security products are in place shielding quickly against vulnerabilities.
The 19 critical vulnerabilities (and affected software) with we found and reported to the appropriate vendors in 2014 are:
- CVE-2014-0290 – Internet Explorer
- CVE-2014-0417 – Java
- CVE-2014-0525 – Adobe Acrobat/Reader
- CVE-2014-0536 – Adobe Flash
- CVE-2014-0559 – Adobe Flash
- CVE-2014-1753 – Internet Explorer
- CVE-2014-2401 – Java
- CVE-2014-1772 – Internet Explorer
- CVE-2014-1782 – Internet Explorer
- CVE-2014-1804 – Internet Explorer
- CVE-2014-2768 – Internet Explorer
- CVE-2014-4057 – Internet Explorer
- CVE-2014-4095 – Internet Explorer
- CVE-2014-4097 – Internet Explorer
- CVE-2014-4105 – Internet Explorer
- CVE-2014-0581 – Flash Player
- CVE-2014-6368 – Internet Explorer
- CVE-2014-8447 – Adobe Reader and Acrobat
- CVE-2014-6443 – Netis router