Vulnerability


What is a vulnerability?

A vulnerability is a weakness or error in a system or device’s code that, when exploited, can compromise the confidentiality, availability, and integrity of data stored in them through unauthorized access, elevation of privileges, or denial of service. A code or tool used to take advantage of a vulnerability is called an exploit.

Most of the disclosed vulnerabilities are shared on the National Vulnerability Database (NVD) and enumerated in the Common Vulnerabilities and Exposures (CVE) List to make it easier to share data across separate vulnerability capabilities.

Here are some of the recent, notable vulnerabilities:

 
DateVulnerabilityCVE IdentifierDetails

September 2019

Internet Explorer vulnerability

CVE-2019-1208

A critical, use-after-free flaw that can lead to arbitrary or remote code execution (RCE)

June 2019

macOS double free vulnerability

CVE-2019-8635

A privilege escalation flaw that can let attackers execute code in the vulnerable macOS-based system

May 2019

BlueKeep

CVE-2019-0708

Vulnerability in remote desktop services notable for its “wormability”

May 2019

Windows 10 Task Scheduler then-zero-day vulnerability

CVE-2019-1069

Local privilege escalation flaw that can let threat actors access protected files when exploited

May 2019

ZombieLoad, Fallout, and Rogue In-Flight Data Load (RIDL)

CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091

Critical vulnerabilities in Intel processors that can leak data when exploited

February 2019

runC vulnerability

CVE-2019-5736 

A vulnerability affecting runC, a runtime component used by containerization technologies/platforms like Kubernetes

November 2018

Kubernetes vulnerability

CVE-2018-1002105

A critical privilege escalation flaw in Kurbenetes’ API server

August 2018

Foreshadow/L1TF

CVE-2018-3615, CVE-2018-3620, CVE-2018-3646

 

Speculative execution side-channel vulnerabilities affecting Intel processors

June 2018

RAMpage

CVE-2017-11882

RAMPage takes advantage of Rowhammer, a hardware-based issue in the dynamic random access memory (DRAM) chips in Android devices

 

June 2018

Drupalgeddon2

CVE-2018-7600

An RCE vulnerability in versions of the content management platform’s subsystems

January 2018

Meltdown and Spectre

CVE-2017-5754, CVE-2017-5753, CVE-2017-5715

Hardware-level vulnerabilities in processor chips that affect their speculative execution feature

October 2017

Key Reinstallation AttaCK (KRACK)

CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088

Security flaws in the Wi-Fi Protected Access 2 (WPA2) protocol that can be exploited by KRACK to compromise WPA2’s encryption mechanism

September 2017

BlueBorne

CVE-2017-1000251, CVE-2017-1000250, CVE-2017-0785, CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, CVE-2017-8628, CVE-2017-14315

Class of vulnerabilities affecting the implementation of Bluetooth in various operating systems

March 2017

Apache Struts 2 RCE vulnerability

CVE-2017-5638

A web application vulnerability that was exploited in the Equifax data breach[CG(1] 

March and April 2017

Vulnerabilities taken advantage of by exploits leaked by The Shadow Brokers hacking group 

CVE-2017-0146 and CVE-2017-0147 (vulnerabilities exploited by EternalChampion); CVE-2017-0144 (EternalBlue)

 

Vulnerabilities in the SMB server v1 that can lead to arbitrary and remote code execution

February 2017

Microsoft Windows Server Message Block (SMB) vulnerability

CVE-2017-0016

A memory corruption flaw that can lead to remote denial of service

March 2016

DROWN

 

A vulnerability that affects HTTPS and other services that rely on Secure Sockets Layer (SSL) and Transport Layer Security (TLS)

January 2016

Linux flaw

 

A cross-site scripting (XSS) vulnerability found in the WordPress plugin Jetpack, which put more than a million websites at risk of getting their administrator accounts hijacked

July 2015

Stagefright

CVE-2015-1538CVE-2015-1539CVE-2015-3824CVE-2015-3826CVE-2015-3827CVE-2015-3828CVE-2015-3829CVE-2015-3864 (Stagefright 1.0);
CVE-2015-6602 (Stagefright 2.0)

An Android vulnerability which could be used to install malware on a device via a simple multimedia message

May 2015

LogJam

CVE-2015-4000

A vulnerability that affects the Diffie-Hellman key exchange

March 2015

FREAK

CVE-2015-0204

A vulnerability that forces a secure connection to use weaker encryption, making it easy for cybercriminals to decrypt sensitive information

October 2014

Poodle

CVE-2014-3566

A vulnerability in  SSL version 3.0

September 2014

Shellshock

CVE-2014-6271, CVE-2014-7169

Affects a vulnerability in the Bash shell, a user interface that uses a command-line interface to access an operating system’s services

April 2014

Heartbleed

CVE-2014-0160

A vulnerability in the popular OpenSSL cryptographic software library used by many websites and other applications like email, instant messaging, and virtual private networks (VPNs)

View more

Products With the Most Number of Distinct Vulnerabilities (as of October 11, 2019)

Product NameVendor NameProduct TypeNumber of Vulnerabilities

Debian Linux

Debian

OS

3,064

Android

Google

OS

2,563

Linux Kernel

Linux

OS

2,356

Mac Os X

Apple

OS

2,212

Ubuntu Linux

Canonical

OS

2,006

Firefox

Mozilla

Application

1,873

Chrome

Google

Application

1,858

iPhone OS

Apple

OS

1,655

Windows Server 2008

Microsoft

OS

1,402

Windows 7

Microsoft

OS

1,262

Source: CVE Details

Responsible Vulnerability Disclosure

Responsible vulnerability disclosure involves informing companies of the vulnerabilities discovered in their products. This allows organizations time to release a fix before the vulnerability is disclosed to the general public.

However, if the vulnerability is used in the wild before any disclosure is made, Trend Micro believes that it is our duty to release more details right away. In the case of the Hacking Team leak , for instance, Trend Micro warned users that the data dumps included zero-day vulnerabilities that were being used in exploit kits and provided information on how users could protect themselves. We’ve also released advisories and technical information on various vulnerabilities, such as the recent ones in Internet Explorer, Edge, and Windows Task Scheduler, along with security best practices to help users and businesses defend against threats that exploit these flaws.

Trend Micro’s Zero Day Initiative (ZDI) works with a global community of researchers that augments ZDI’s own zero-day research and exploit intelligence. The ZDI represents the world’s largest vendor-agnostic bug bounty program, incorporating inputs, discoveries, and reports from more than 3,500 independent researchers. The ZDI’s disclosure policy entails responsibly and promptly notifying the vendors about a vulnerability while also distributing protection filters to Trend Micro. After notifications or a set timeline, and after patches have been rolled out by the vendors, the ZDI releases security advisories about the vulnerability.

Related content:

Security 101: Zero-Day Vulnerabilities and Exploits
From Homes to the Office: Revisiting Network Security in the Age of the IoT
Securing the Industrial Internet of Things: Protecting Energy, Water and Oil Infrastructures
Cybercrime and Exploits: Attacks on Unpatched Systems
Security 101: Virtual Patching
Guide to Network Threats: Strengthening Network Perimeter Defenses with Next-generation Intrusion Prevention
Virtual Patching: Patch Those Vulnerabilities before They Can Be Exploited