Microsoft, Google apps feature in the top 20 vulnerabilities in enterprise environments

The most severe web browser bugs have the potential to disrupt up a third of enterprise environments.
Written by Charlie Osborne, Contributing Writer

Microsoft and Google software offerings have secured the top spots when it comes to vulnerabilities believed to be best able to disrupt enterprise services and systems today.

According to cybersecurity firm Tenable, the most prevalent vulnerabilities which have been assigned a CVE score and number -- based on update and severity metrics -- have the potential to impact between 20 and 30 percent of enterprises if left unpatched or unresolved.

On Wednesday, the company released the latest Tenable Vulnerability Intelligence Report, which claims that Microsoft .Net and Office, Adobe Flash, and Oracle's Java have the most widespread impact for enterprise assets. In total, half of vulnerability-based enterprise threats are due to problems with Adobe Flash, whereas 20 percent of vulnerabilities belong to Microsoft Office.

When it comes to individual vulnerabilities with the widest impact and severity, however, one particular security flaw in Microsoft apps, CVE-2018-8202, is believed to have the potential to impact 32 percent of enterprises.

The vulnerability, discovered this year, is described as a privilege escalation issue in the .NET framework.

TechRepublic: Hackers selling exploits to law enforcement agencies have poor security practices

The second top spot belongs to a bug in Google Chrome, CVE-2018-6153. The vulnerability is a stack-based buffer overflow issue caused by improper bounds checking by Skia. If an attacker is able to dupe a victim into opening a specifically crafted website, the overflow bug can be triggered in order to execute arbitrary code or to cause a system crash.

Tenable estimates that 30 percent of enterprise systems could be impacted by such a bug.

In third comes CVE-2015-6136, a vulnerability in Microsoft IE discovered back in 2015. The vulnerability, which is estimated to have the potential to impact 28 percent of enterprises, is described as a flaw which permits the remote execution of code via a crafted website due to scripting engine memory corruption.

The fourth vulnerability believed to have the most impact on the enterprise isCVE-2018-2938, a bug in a component in Oracle's Java which can be used to gain elevated privileges. In total, Tenable estimates this security flaw could impact up to 28 percent of enterprises.

CNET: ACLU demands DHS disclose its use of facial-recognition tech

The fifth vulnerability is found in Microsoft apps. CVE-2018-1039 exists in the .NET framework and permits attackers to bypass device guard functionality. This security flaw is believed to have the potential to impact up to 28 percent of organizations.

The remaining 15 vulnerabilities and security problems -- some of which contain a CVE, and others do not -- have also been listed by Tenable as security flaws with the potential to disrupt the enterprise and are described below.

6: No CVE, SSL, 27 percent: SSL 2.0 and/or SSL 3.0 are impacted by cryptographic flaws including an insecure padding scheme.

7: CVE-2018-6130, Google Chrome, 26 percent: An out-of-bounds memory access issue in WebRTC.

8: CVE-2018-8242, Microsoft IE, 26 percent: A remote code execution vulnerability which exists in the way that the scripting engine handles objects in memory in Internet Explorer.

9: CVE-2017-8517, Microsoft IE, 25 percent: The failure of JavaScript engines to handle objects in memory properly in Microsoft browsers permit the execution of arbitrary code.

10: CVE-2018-5007, Adobe Flash Player, 25 percent: A type confusion vulnerability exists in versions of the software, and earlier, which can lead to the execution of arbitrary code.

11: CVE-2018-8249, CVE-2018-0978, Microsoft IE, 24 percent: A vulnerability which leads to remote code execution in IE due to improper object access.

12: CVE-2018-8310, Microsoft apps, 23 percent: A tampering vulnerability exists when Microsoft Outlook does not properly handle specific attachment types when rendering HTML emails. The bug impacts Microsoft Word and Microsoft Office.

13: CVE-2018-5002, Adobe Flash Player, 23 percent: Impacting versions of the software and earlier, this vulnerability is a stack buffer overflow problem which can lead to the execution of arbitrary code in the context of the current user.

14: CVE-2018-8178, Microsoft, 23 percent: A remote code execution vulnerability in Microsoft browsers.

15: CVE-2018-2814, Oracle Java, 23 percent: A bug in the Java SE embedded component of Oracle Java SE can result in a complete takeover by attackers.

16: CVE-2018-5008, Adobe Flash Player, 23 percent: Affecting versions and earlier, this out-of-bounds read security flaw can lead to information disclosure.

17: CVE-2017-11215, Adobe Flash Player, 22 percent: Software versions and earlier are affected by a use-after-free bug in the Primetime SDK which could lead to code corruption, control-flow hijack or an information leak.

See also: This botnet snares your smart devices to perform DDoS attacks with a little help from Mirai

18: No CVE assigned, Mozilla, 22 percent: Tenable says legacy Mozilla applications, such as outdated versions of Firefox, Thunderbird and SeaMonkey, may contain vulnerabilities as no more security updates are available.

19: CVE-2015-0008, Microsoft, 22 percent: An untrusted search path vulnerability which exists in the MFC library in Microsoft Visual Studio .NET can be exploited by attackers to gain local privileges.

20: CVE-2018-4944, Adobe Flash, 22 percent: Adobe Flash versions and earlier contain a type confusion bug which can be exploited for execution of arbitrary code.

"Vendors such as Microsoft, Adobe, and Oracle have a comparatively low amount of distinct vulnerabilities, but affect a large number of enterprises and assets," the firm says. "These represent a global risk, as they affect a large number of enterprises and assets worldwide."

The worst cyberattacks undertaken by nation-state hackers

Previous and related coverage

Editorial standards