A new report lists the top software vulnerabilities of 2019. Little surprise that Microsoft and Office feature in the top ten but not with the latest security bugs.
Recorded Future’s report is headed 2019 Vulnerability Report: Cybercriminals Continue to Target Microsoft Products and lists the top ten vulnerabilities of 2019.
Seven of the top ten vulnerabilities are from Microsoft products.
- Four are bugs with Internet Explorer
- Three are security holes in Microsoft Office or Windows.
That’s the same score for Microsoft as in the list for 2018. Six of the 2019 ‘top ten’ were also on the 2018 list.
Old security bugs
What’s a little surprising is that all the top ten exploits are ‘old’ in security terms.
Only one in the top ten list is a security vulnerability found and patched in 2019. The rest are from 2018 (4), 2017 (3) or even ones from 2015 and 2012!
Equation Editor bug is still popular with hackers
Maybe you remember the very embarrassing Equation Editor bug from 2017? It was a 17 year old security hole in Microsoft Office’s Equation Editor.
More than two years later, that bug is still being widely exploited and is on the top ten list. There are 13 different exploit packs that hackers can get to misuse that one Office security problem.
Despite that, Microsoft continues to downplay the severity of their mistake. CVE-2017-11882 still gives the bug a low ‘exploitability’ rating of ‘2 – Exploitation Less Likely’ and their 250 word description manage not to mention the Equation Editor even once!
Equation Editor security bugs ride again
Office security bug discovered after 17 years and what you must do
Keep Windows and Office updated cautiously
The report confirms that it’s important to keep your software up-to-date – no surprise there.
Too many businesses and organizations don’t keep their machines updated either because of cost or knowledge. These are the computers targeted by hackers.
If you’ve updated your Windows or Office software in the last month or two you’ve covered against the vast majority of common exploits.
Updating software immediately there’s a new patch isn’t as compelling as Microsoft suggests. Microsoft always wants customers to patch their software immediately despite the real risk that the patch itself causes trouble. That happens more often than Microsoft likes to admit.
Why updating Office is like the Kobayashi Maru a ‘no win scenario’
The more prudent strategy is to update a few weeks after the patches become available. Unfortunately, there’s no automatic options to do that. All you can do is halt updates then manually enable them when necessary, at least once a month.
Two ways to stop Office automatic updates
Stop Office for Mac automatic updating
Other wise moves …
Always be wary of any incoming Office documents, especially any in the older .doc .xls .ppt formats. Why Old Office Documents should be banned
Keep your anti-virus and security software up to date. For most people that means Windows Defender that comes with Windows and should be automatically updated.