For cyber-attackers, the old flaws are still the best, according to HP's Cyber Risk Report 2014 and it has a startling piece of evidence to back up its claim – the most commonly exploited software vulnerability for last year was the infamous .lnk flaw in Windows XP made famous by Stuxnet in the distant summer of 2010.
Designated CVE-2010-2568, this on its own accounted for a third of all exploits the firm detected being used against its customers, just ahead of the even older CVE-2010-0188, a flaw in Adobe’s Reader and Acrobat, responsible for 11 percent of exploits.
The rest of the top-ten list was a rag-tag of mainly Java vulnerabilities dating from 2012 and 2013 with one in Microsoft Office, CVE-2009-3129, dating back to themists of September 2009.
As for the Stuxnet flaw, its use was no accident, a legacy of old exploits criminals keep trying out of habit – unlike most of the old vulnerabilities its use in attacks actually grew throughout the year.
In contrast, the most targeted of the 30 popular flaws discovered in 2014 was last February’s Internet Explorer 10 remote code execution zero day, CVE-2014-0322, followed by CVE-2014-0307, also in IE. All of the other top ten discovered during the year were in Flash, Firefox, Office and Windows, meaning, HP suggests, that Java might finally be getting on top of its security problems.
“Many of the biggest security risks are issues we’ve known about for decades, leaving organisations unnecessarily exposed,” said HP’s senior VP of Enterprise Security Products, Art Gilliland.
HP didn’t give absolute numbers for comparison but had calculated that 44 percent of flaws came from vulnerabilities that were between two and four years old.
“We can’t lose sight of defending against these known vulnerabilities by entrusting security to the next silver bullet technology; rather, organisations must employ fundamental security tactics to address known vulnerabilities and in turn, eliminate significant amounts of risk.”
Overall, HP’s Zero Day Initiative (ZDI) had dealt with a record number of vulnerabilities during 2014, the firm said.
According to HP, the commonest non-Windows exploit was the Android Master Key vulnerability, CVE-2013-4787, discovered in July 2013, which accounted for one percent of all samples.