Vulnerability
What is a vulnerability?
A vulnerability is a weakness or error in a system or device’s code that, when exploited, can compromise the confidentiality, availability, and integrity of data stored in them through unauthorized access, elevation of privileges, or denial of service. A code or tool used to take advantage of a vulnerability is called an exploit.
Most of the disclosed vulnerabilities are shared on the National Vulnerability Database (NVD) and enumerated in the Common Vulnerabilities and Exposures (CVE) List to make it easier to share data across separate vulnerability capabilities.
Here are some of the recent, notable vulnerabilities:
Date | Vulnerability | CVE Identifier | Details |
September 2019 | Internet Explorer vulnerability | CVE-2019-1208 | A critical, use-after-free flaw that can lead to arbitrary or remote code execution (RCE) |
June 2019 | macOS double free vulnerability | CVE-2019-8635 | A privilege escalation flaw that can let attackers execute code in the vulnerable macOS-based system |
May 2019 | CVE-2019-0708 | Vulnerability in remote desktop services notable for its “wormability” | |
May 2019 | Windows 10 Task Scheduler then-zero-day vulnerability | Local privilege escalation flaw that can let threat actors access protected files when exploited | |
May 2019 | ZombieLoad, Fallout, and Rogue In-Flight Data Load (RIDL) | CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 | Critical vulnerabilities in Intel processors that can leak data when exploited |
February 2019 | CVE-2019-5736 | A vulnerability affecting runC, a runtime component used by containerization technologies/platforms like Kubernetes | |
November 2018 | Kubernetes vulnerability | A critical privilege escalation flaw in Kurbenetes’ API server | |
August 2018 | CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 | Speculative execution side-channel vulnerabilities affecting Intel processors | |
June 2018 | CVE-2017-11882 | RAMPage takes advantage of Rowhammer, a hardware-based issue in the dynamic random access memory (DRAM) chips in Android devices | |
June 2018 | Drupalgeddon2 | An RCE vulnerability in versions of the content management platform’s subsystems | |
January 2018 | CVE-2017-5754, CVE-2017-5753, CVE-2017-5715 | Hardware-level vulnerabilities in processor chips that affect their speculative execution feature | |
October 2017 | Key Reinstallation AttaCK (KRACK) | CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088 | Security flaws in the Wi-Fi Protected Access 2 (WPA2) protocol that can be exploited by KRACK to compromise WPA2’s encryption mechanism |
September 2017 | CVE-2017-1000251, CVE-2017-1000250, CVE-2017-0785, CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, CVE-2017-8628, CVE-2017-14315 | Class of vulnerabilities affecting the implementation of Bluetooth in various operating systems | |
March 2017 | Apache Struts 2 RCE vulnerability | CVE-2017-5638 | A web application vulnerability that was exploited in the Equifax data breach[CG(1] |
March and April 2017 | Vulnerabilities taken advantage of by exploits leaked by The Shadow Brokers hacking group | CVE-2017-0146 and CVE-2017-0147 (vulnerabilities exploited by EternalChampion); CVE-2017-0144 (EternalBlue) | Vulnerabilities in the SMB server v1 that can lead to arbitrary and remote code execution |
February 2017 | Microsoft Windows Server Message Block (SMB) vulnerability | A memory corruption flaw that can lead to remote denial of service | |
March 2016 | A vulnerability that affects HTTPS and other services that rely on Secure Sockets Layer (SSL) and Transport Layer Security (TLS) | ||
January 2016 | A cross-site scripting (XSS) vulnerability found in the WordPress plugin Jetpack, which put more than a million websites at risk of getting their administrator accounts hijacked | ||
July 2015 | CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829, CVE-2015-3864 (Stagefright 1.0); | An Android vulnerability which could be used to install malware on a device via a simple multimedia message | |
May 2015 | A vulnerability that affects the Diffie-Hellman key exchange | ||
March 2015 | FREAK | A vulnerability that forces a secure connection to use weaker encryption, making it easy for cybercriminals to decrypt sensitive information | |
October 2014 | A vulnerability in SSL version 3.0 | ||
September 2014 | Shellshock | Affects a vulnerability in the Bash shell, a user interface that uses a command-line interface to access an operating system’s services | |
April 2014 | A vulnerability in the popular OpenSSL cryptographic software library used by many websites and other applications like email, instant messaging, and virtual private networks (VPNs) |
Products With the Most Number of Distinct Vulnerabilities (as of October 11, 2019)
Product Name | Vendor Name | Product Type | Number of Vulnerabilities |
OS | |||
OS | |||
OS | |||
OS | |||
OS | |||
Application | |||
Application | |||
OS | |||
OS | |||
OS |
Source: CVE Details
Responsible Vulnerability Disclosure
Responsible vulnerability disclosure involves informing companies of the vulnerabilities discovered in their products. This allows organizations time to release a fix before the vulnerability is disclosed to the general public.
However, if the vulnerability is used in the wild before any disclosure is made, Trend Micro believes that it is our duty to release more details right away. In the case of the Hacking Team leak , for instance, Trend Micro warned users that the data dumps included zero-day vulnerabilities that were being used in exploit kits and provided information on how users could protect themselves. We’ve also released advisories and technical information on various vulnerabilities, such as the recent ones in Internet Explorer, Edge, and Windows Task Scheduler, along with security best practices to help users and businesses defend against threats that exploit these flaws.
Trend Micro’s Zero Day Initiative (ZDI) works with a global community of researchers that augments ZDI’s own zero-day research and exploit intelligence. The ZDI represents the world’s largest vendor-agnostic bug bounty program, incorporating inputs, discoveries, and reports from more than 3,500 independent researchers. The ZDI’s disclosure policy entails responsibly and promptly notifying the vendors about a vulnerability while also distributing protection filters to Trend Micro. After notifications or a set timeline, and after patches have been rolled out by the vendors, the ZDI releases security advisories about the vulnerability.