Legacy vulnerabilities in older code are becoming increasingly big risks to corporations as attackers are zooming in on unpatched and largely forgotten issues, according to HP's Cyber Risk Report.
HP's report highlights that push and pull between Google and Microsoft over vulnerabilities. Google has outed Microsoft issues before it could issue a fix to customers. However, Google's point is that Microsoft needs to step up the pace.
For instance, 7 of the top 10 exploits in 2014 were all discovered before 2013. Forty four percent of known breaches came from vulnerabilities that are 2 to 4 years old. Server misconfigurations were the top vulnerability and programming errors leave enterprises open for attack.
In a report, Art Gilliland, general manager of HP's enterprise security products, said:
The work of our threat research and software security research teams revealed vulnerabilities in products and programs that were years old--in a few cases, decades old. Well-known attacks were still distressingly effective, and misconfiguration of core technologies continued to plague systems that should have been far more stable and secure than they in fact proved to be. We are, in other words, still in the middle of old problems and known issues even as the pace of the security world quickens around us.
This snippet of an HP infographic tells the tale.
Among other key items:
- Software as a service and middleware are increasingly being exploited via protocols including HTTP, Simple Object Access Protocol (SOAP) and JSON.
- Oracle has curtailed exploits in Java. The report noted: "Oracle introduced click to play as a security measure making the execution of unsigned Java more difficult. As a result we did not encounter any serious Java zero days in the malware space. Many Java vulnerabilities were logical or permission-based issues with a nearly 100 percent success rate. In 2014, even without Java vulnerabilities, we still saw high success rate exploits in other areas."
- The top 10 discovered exploits in 2014 were led by Microsoft Internet Explorer as well as Adobe Flash.