Original release date: April 29, 2015
Systems running unpatched software from Adobe, Microsoft, Oracle, or OpenSSL.
Cyber threat actors continue to exploit unpatched software to conduct attacks against critical infrastructure organizations. As many as 85 percent of targeted attacks are preventable .This Alert provides information on the 30 most commonly exploited vulnerabilities used in these attacks, along with prevention and mitigation recommendations.It is based on analysis completed by the Canadian Cyber Incident Response Centre (CCIRC) and was developed in collaboration with our partners from Canada, New Zealand, the United Kingdom, and the Australian Cyber Security Centre.
Unpatched vulnerabilities allow malicious actors entry points into a network. A set of vulnerabilities are consistently targeted in observed attacks.
A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:Temporary or permanent loss of sensitive or proprietary information,Disruption to regular operations,Financial losses relating to restoring systems and files, andPotential harm to an organization’s reputation.
Maintain up-to-date softwareThe attack vectors frequently used by malicious actors such as email attachments, compromised “watering hole” websites, and other tools often rely on taking advantage of unpatched vulnerabilities found in widely used software applications. Patching is the process of repairing vulnerabilities found in these software components.It is necessary for all organizations to establish a strong ongoing patch management process to ensure the proper preventive measures are taken against potential threats. The longer a system remains unpatched, the longer it is vulnerable to being compromised. Once a patch has been publicly released, the underlying vulnerability can be reverse engineered by malicious actors in order to create an exploit. This process has been documented to take anywhere from 24-hours to four days. Timely patching is one of the lowest cost yet most effective steps an organization can take to minimize its exposure to the threats facing its network.Patch commonly exploited vulnerabilitiesExecutives should ensure their organization’s information security professionals have patched the following software vulnerabilities. Please see patching information for version specifics.MicrosoftCVEAffected ProductsPatching InformationCVE-2006-3227Internet ExplorerMicrosoft Malware Protection Encyclopedia Entry CVE-2008-2244Office WordMicrosoft Security Bulletin MS08-042CVE-2009-3129OfficeOffice for MacOpen XML File Format Converter for MacOffice Excel ViewerExcelOffice Compatibility Pack for Word, Excel, and PowerPointMicrosoft Security Bulletin MS09-067CVE-2009-3674Internet ExplorerMicrosoft Security Bulletin MS09-072CVE-2010-0806Internet ExplorerMicrosoft Security Bulletin MS10-018CVE-2010-3333OfficeOffice for MacOpen XML File Format Converter for MacMicrosoft Security Bulletin MS10-087CVE-2011-0101Excel Microsoft Security Bulletin MS11-021CVE-2012-0158OfficeSQL ServerBizTalk ServerCommerce ServerVisual FoxProVisual BasicMicrosoft Security Bulletin MS12-027CVE-2012-1856OfficeSQL ServerCommerce ServerHost Integration ServerVisual FoxPro Visual BasicMicrosoft Security Bulletin MS12-060CVE-2012-4792Internet ExplorerMicrosoft Security Bulletin MS13-008CVE-2013-0074Silverlight and Developer RuntimeMicrosoft Security Bulletin MS13-022CVE-2013-1347Internet ExplorerMicrosoft Security Bulletin MS13-038CVE-2014-0322Internet ExplorerMicrosoft Security Bulletin MS14-012CVE-2014-1761Microsoft WordOffice Word ViewerOffice Compatibility PackOffice for MacWord Automation Services on SharePoint ServerOffice Web AppsOffice Web Apps ServerMicrosoft Security Bulletin MS14-017CVE-2014-1776Internet ExplorerMicrosoft Security Bulletin MS14-021 CVE-2014-4114WindowsMicrosoft Security Bulletin MS14-060 OracleCVEAffected ProductsPatching InformationCVE-2012-1723Java Development Kit, SDK, and JREOracle Java SE Critical Patch Update Advisory – June 2012CVE-2013-2465Java Development Kit and JREOracle Java SE Critical Patch Update Advisory – June 2013 AdobeCVEAffected ProductsPatching InformationCVE-2009-3953ReaderAcrobat Adobe Security Bulletin APSB10-02CVE-2010-0188ReaderAcrobatAdobe Security Bulletin APSB10-07CVE-2010-2883ReaderAcrobat Adobe Security Bulletin APSB10-21CVE-2011-0611Flash PlayerAIRReaderAcrobatAdobe Security Bulletin APSB11-07Adobe Security Bulletin APSB11-08CVE-2011-2462ReaderAcrobat Adobe Security Bulletin APSB11-30CVE-2013-0625ColdFusionAdobe Security Bulletin APSB13-03CVE-2013-0632ColdFusionAdobe Security Bulletin APSB13-03CVE-2013-2729ReaderAcrobatAdobe Security Bulletin APSB13-15CVE-2013-3336ColdFusionAdobe Security Bulletin APSB13-13CVE-2013-5326 ColdFusionAdobe Security Bulletin APSB13-27CVE-2014-0564Flash PlayerAIRAIR SDK & CompilerAdobe Security Bulletin APSB14-22 OpenSSLCVEAffected ProductPatching InformationCVE-2014-0160OpenSSLCERT Vulnerability Note VU#720951 Implement the following four mitigation strategies.As part of a comprehensive security strategy, network administrators should implement the following four mitigation strategies, which can help prevent targeted cyber attacks.RankingMitigation StrategyRationale1Use application whitelisting to help prevent malicious software and unapproved programs from running.Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.2Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office.Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.3Patch operating system vulnerabilities.4Restrict administrative privileges to operating systems and applications based on user duties.Restricting these privileges may prevent malware from running or limit its capability to spread through the network.It is recommended that users review US-CERT Security Tip (ST13-003) and CCIRC’s Mitigation Guidelines for Advanced Persistent Threats for additional background information and to assist in the detection of, response to, and recovery from malicious activity linked to advance persistent threats [2, 3].
 Canadian Cyber Incident Response Centre, Top 4 Strategies to Mitigate Targeted Cyber Intrusions
 Canadian Cyber Incident Response Centre, TR11-002, Mitigation Guidelines for Advanced Persistent Threats
 US-CERT Security Tip (ST13-003): Handling Destructive Malware
April 29, 2015: Initial release
This product is provided subject to this Notification and this Privacy & Use policy.