Security News > 2020 > May > US-CERT lists the 10 most-exploited security bugs and, yeah, it's mostly Microsoft holes people forgot to patch
A list posted by US-CERT this week rattles off the 10 most oft-targeted security vulnerabilities during the past three years, and finds that, shock horror, for the most part, keeping up with patching will keep you safe.
Microsoft ranks highly in the list because its software is widely used, and provides the most potential targets for hackers, though on the other hand, fixes have been available for these bugs for a long while: it doesn't have to be this way, people.
The years-old memory corruption bug is exploited to spread data-harvesting trojans like Loki, FormBook, and FareIT. Also popular with crooks is CVE-2017-0199, a remote code execution bug in Office that is exploited by tricking the mark into opening a specially crafted document.
The freshest of the bugs on the list is CVE-2019-0604.
As you can see, most of these bugs have been known of and fixed for years, so there is no excuse to be vulnerable.
News URL
https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/05/14/uscert_most_pwned_bugs/
Related news
- What 2024 taught us about security vulnerabilties (source)
- Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws (source)
- 3 Actively Exploited Zero-Day Flaws Patched in Microsoft's Latest Security Update (source)
- Patch Tuesday: January 2025 Security Update Patches Exploited Elevation of Privilege Attacks (source)
- CERT-UA warns against “security audit” requests via AnyDesk (source)
- CERT-UA Warns of Cyber Scams Using Fake AnyDesk Requests for Fraudulent Security Audits (source)
- 7-Zip fixes bug that bypasses Windows MoTW security warnings, patch now (source)
- ‘Sneaky Log’ Microsoft Spoofing Scheme Sidesteps Two-Factor Security (source)
- Asus lets processor security fix slip out early, AMD confirms patch in progress (source)
- Microsoft: Outdated Exchange servers fail to auto-mitigate security bugs (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-03-05 | CVE-2019-0604 | Improper Input Validation vulnerability in Microsoft products A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. | 9.8 |
| 2017-04-12 | CVE-2017-0199 | Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API." | 7.8 |