“Many vulnerabilities exploited in 2014 took advantage of code written many years ago—some are even decades old,” states a recent HP Cyber Risk Report.
The report cited the rise of legacy code vulnerabilities and noted how old vulnerabilities in Microsoft Windows (CVE-2010-2568), Adobe Reader and Acrobat® (CVE-2010-0188), and Oracle Java (CVE-2013-0422 and CVE-2012-1723) were among the most exploited in 2014. HP’s Annual Report has led some to admonish against digging deeper into so-called esoteric vulnerabilities like zero-days, and instead look into the obvious ones. They emphasized that “a big percentage of breaches (44 per cent) come from vulnerabilities which are two to four years old.”
This is in contrast to reports that focused on how enterprises should watch out for zero-day vulnerabilities instead since these are commonly used in cyber-espionage campaigns. One example of this was when a campaign launched by the “Sandworm Team” used a zero-day exploit that affected all supported versions of Microsoft Windows and Windows Server 2008 and 2012.
“It goes without saying that zero-day vulnerabilities pose a great risk to enterprises and users in general. However, based on analysis of targeted attacks seen in the past, older vulnerabilities are used more frequently,” says Trend Micro threat researcher Spencer Hsieh.
Zero-day vulnerabilities, especially those which affect outdated or unsupported platforms or applications, can be very effective in catching targets off-guard during an indefinite “window of exposure.” Older vulnerabilities, on one hand, lend attackers with an aged reliability that is sure to bait in a number of unpatched networks or machines.
However, in the ongoing discussion between which is worse, getting attacked via old or new vulnerabilities, the bottom line is that the attackers found a way in. In this case, wouldn’t it be better to cover both?
As we have mentioned before, addressing targeted attacks requires not only the right set of tools but also the right mindset. Looking back, the problem with old vulnerabilities can be addressed by an agile internal IT staff that can promptly apply security patches to all machines and servers once they are available.
On the other hand, addressing new (zero-day) vulnerabilities requires a more proactive approach. This can be more of a challenge for information security providers to make use of tactics like virtual patching to mitigate threats, honeypots to flag early attacks, heuristic scanning to identify suspicious files, and sandbox protection to execute said files in a protected environment without compromising the network.
IT administrators should refer to a security solution that exhibits effective vulnerability research and disclosure. As Trend Micro threat analyst Weimin Wu cited before, vendors with an established research process can better anticipate the exploit landscape and craft solutions in advance accordingly, validate solution effectiveness on unknown threat, and effectively respond to zero-day and N-day exploits.
As such, enterprises should opt for solutions that protect from old and new vulnerabilities via a timeless understanding of their intricacies, known patching tactics, and trusted vulnerability research capabilities.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).