This article is more than 1 year old

US-CERT lists the 10 most-exploited security bugs and, yeah, it's mostly Microsoft holes people forgot to patch

Update, update, update. Plus: Flash, Struts, Drupal also make appearances

Vulnerabilities in Microsoft Windows, Office, and Windows Server, for which patches have been available for years, continue to be the favorite target for hackers looking to spread malware.

A list posted by US-CERT this week rattles off the 10 most oft-targeted security vulnerabilities during the past three years, and finds that, shock horror, for the most part, keeping up with patching will keep you safe.

Microsoft ranks highly in the list because its software is widely used, and provides the most potential targets for hackers, though on the other hand, fixes have been available for these bugs for a long while: it doesn't have to be this way, people.

At the top of the charts is CVE-2017-11882, a remote code execution vulnerability in Office. The years-old memory corruption bug is exploited to spread data-harvesting trojans like Loki, FormBook, and FareIT.

Also popular with crooks is CVE-2017-0199, a remote code execution bug in Office that is exploited by tricking the mark into opening a specially crafted document. That bug is used as the entry point for banking and spyware trojans like FinSpy, Dridex, and LatentBot.

Remember that big Equifax hack? It was brought about by an exploit for CVE-2017-5638, a remote command execution (RCE) vulnerability in Apache Struts 2. If it's any consolation to Equifax, they are not alone in getting pwned by that bug; it is often used to spread the JexBoss malware.

If you really want to know how dismal the state of most people's PC security is, look no further than number four on the list: the eight-year-old CVE-2012-0158. That ancient Windows ActiveX bug is still effective enough to be used for Dridex malware infections, despite it being patched years ago.

The freshest of the bugs on the list is CVE-2019-0604. That SharePoint RCE flaw was connected to a reported hack at the United Nations and is used as the entry point for China Chopper, a minimalist web shell infection.

We have the NSA to thank for CVE-2017-0143, the SMB remote code execution flaw better known for its use with the EternalBlue spyware package that was developed by the spying agency and later dumped online by the ShadowBrokers.

Image composite: Microsoft and StudioLondon

Sadly, 111 in this story isn't binary. It's decimal. It's the number of security fixes emitted by Microsoft this week


Not content to let Microsoft have all the fun, we also get an appearance from Adobe Flash Player, AKA the internet's rickety screen door. CVE-2017-0143 is a use-after-free() bug that has been providing malware purveyors an easy in-the-wild target since January 2018. It has been used to spread Dogcall, a remote access trojan (and maybe the name of your teenage garage band).

FinFisher, the surveillance package that was a hit with despots the world over back in 2015, spreads these days via CVE-2017-8759, a .NET remote code execution flaw.

CVE-2015-1641 is another blast from the past that is still popular with malware creeps. The Office flaw is exploited when the mark opens a specially-crafted text file. It is being used to spread the Toshliph and UWarrior malware, two spyware infections.

Rounding out the list is CVE-2018-7600, the remote code execution bug in Drupal that has been used to spread Kitty, a cryptocurrency mining infection.

US-CERT also notes that two more recent flaws, the Citrix vulnerability designated CVE-2019-19781 and an information disclosure flaw in Pulse Secure have also been targeted in the wild lately.

As you can see, most of these bugs have been known of and fixed for years, so there is no excuse to be vulnerable. Keeping up to date with patches and other basic security practices will keep most systems well protected. ®

More about


Send us news

Other stories you might like