These old security vulnerabilities are creating new opportunities for hackers

Over half of security vulnerabilities are over five years old and leaving them unpatched is very unwise.
Written by Danny Palmer, Senior Writer

Old security vulnerabilities in corporate networks are leaving organisations at risk from ransomware and other cyberattacks as hackers look to actively exploit unpatched systems and legacy software. 

Analysis by cybersecurity researchers at F-Secure suggests that 61% of security vulnerabilities that exist in corporate networks are from 2016 or even older, despite patches being available for five years or more. Some of the vulnerabilities that continue to be exploited to breach networks are more than a decade old.

One of the most common unpatched vulnerabilities plaguing businesses is CVE-2017-11882, an old memory corruption issue in Microsoft Office, including Office 365, which was uncovered and patched in 2017, but had existed since 2000. According to F-Secure, it's one of the most actively exploited vulnerabilities on Windows.  

SEE: Cybersecurity: Let's get tactical (ZDNet special report)

The vulnerability requires little interaction from the user, making it useful for cyber criminals running phishing campaigns. Researchers note that since it was detailed in 2017, the vulnerability has regularly been used by hacking groups, including Cobalt Group

Other common vulnerabilities detailed in the research paper include CVE-2012-1723, a vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7, which was detailed in 2012 and CVE-2013-1493.  

Security patches are available to protect against these vulnerabilities and have been available for years, but many organisations haven't applied the updates, leaving them vulnerable to various cyber-criminal intrusions. 

According to the report, organisations see ransomware as the key cybersecurity threat they face, but the exploits can also be exploited by cyber criminals looking to implant trojan malware, or gain access to networks by stealing usernames and passwords

But it's not just cyber criminals that pose a risk to organisations, nation state-backed hacking groups will often use the exact same vulnerabilities because they can be used to provide relatively easy access to networks.

Identifying and managing vulnerabilities can be a difficult task, especially for large organisations with vast IT estates, but the most effective way to prevent cyber criminals from exploiting vulnerabilities is for the IT department and information security teams to know what's on the network and move to protect it, via applying security patches, hardening defences or both. 

"Organisations that understand their IT estates, what opportunities they have to detect attacks, and what risks and threats are facing their industry, can prepare themselves to mitigate most of the damages caused by the kind of ransomware attacks we see today," said F-Secure global head of incident response Joani Green, who also warned that plans should be put in place about how to deal with successful attacks

"Detecting attacks is obviously the first step, but organizations that prepare a full plan for responding can put a stop to these incidents in a matter of hours instead of days or weeks," she said. 


Editorial standards