Vulnerabilities proved to be one of the main security trends of 2019. Despite all of the testing, warnings and advice around vulnerability management, it seems the challenges that organizations face in finding and patching vulnerabilities are not going away anytime soon.
Industry research shows that the number of unpatched vulnerabilities continues to increase, stating that patching is typically delayed by 12 days due to staffing issues, while 72% of security professionals surveyed by ServiceNow reported difficulty in prioritizing what needs to be patched.
With this in mind, and to highlight the risks of unfixed exploits, Infosecurity has compiled a list of 10 of the most infamous, troublesome and damaging vulnerabilities faced by businesses across the world in recent years.
1 - MS17-010 (Eternal Blue)
Part of the most costly attacks in history so far, WannaCry and NotPetya both used Eternal Blue-style attacks as part of their payloads.
Source: Microsoft
2 - MS14-068
This could allow an attacker to exploit a vulnerability in Microsoft Kerberos and elevate unprivileged domain user account privileges.
Source: Rapid7
3 - CVE-2019-0708 (BlueKeep)
Despite multiple warnings, it took until November 2019 for the first exploits of Bluekeep to be spotted. It has been predicted that a widespread exploit could be severe.
Source: Fortinet
4 - MS08-067 (Conficker)
This Windows SMB vulnerability is over 10-years-old, and still seen in older networks with legacy gear.
Source: SANS Institute
5 - MS01-023 (Nimda)
Nimda was a package of Microsoft IIS exploits that were released a week after the 9/11 attacks.
Source: Microsoft
6 - Spectre/Meltdown
These speculative execution bugs were unexpected and drove new areas of hardware security, proving that CPU security was still important.
Source: Meltdown Attack
7 - CVE-2014-0160 (Heartbleed)
Heartbleed is a vulnerability in the OpenSSL code that handles the Heartbeat extension for TLS/DTLS.
Source: Synopsys
8 - CVE-2008-1447 (Kaminsky Bug)
This DNS vulnerability allowed attackers to send users to malicious sites and impersonate any legitimate website and steal data.
Source: Duo Security
9 - CVE-2014-6271 (Shellshock)
The remote code execution vulnerability affected Bash, and could allow an attacker to gain control over a targeted computer if exploited successfully.
Source: Symantec
10 - MS02-039 (SQL Slammer)
MS02-039 hit on the weekend of 25-26 January 2003, causing a denial of service on some internet hosts and dramatically slowing down general internet traffic.
Source: ESET We Live Security