SPOTLIGHT RiskSense Vulnerability Weaponization Insights · 2019-04-16 · This Spotlight report...

S P O T L I G H T

RiskSenseVulnerability

WeaponizationInsights

20 Years of Adobe Software Vulnerabilities Reveal Important Lessons for Remediation Teams and Software Developers Alike

S P O T L I G H T

This Spotlight report provides in-depth analysis of vulnerabilities and weaponization patterns across the entire family of Adobe products. By focusing on weaponization, we go beyond simply counting vulnerabilities, and instead reveal how popular software from a leading vendor becomes a beacon for attackers. A significant number of these vulnerabilities are exploitable and have remote code execution capabilities, changing their status from a potential threat to an active and live cyber risk exposure point. While our findings naturally focus on the most recent data, the report includes more than 20 years of data from 1996 through 2018, allowing us to see long-term trends.

This combination of scope and focus on threat impact provides invaluable insight for IT and security teams, executives, as well as application development teams. For example, while the overall count of vulnerabilities in 2018 was significantly down from the highpoint of 2016, our analysis shows that 2018 was the most active and significant year in terms of weaponization. It marks a year with the largest overall number of weaponized vulnerabilities. While total number of vulnerabilities had been declining, 2018 data shows that the percentage of weaponized vulnerabilities is almost half of this total (47%). Patching and countermeasures were less effective because 2018 also had the largest number of vulnerabilities weaponized prior to a patch being available.

Most importantly, this report provides insights and recommendations that can be used by IT, security, and development teams to significantly reduce risk for their organizations. In this Spotlight report, we:

• Analyze the weaponization and attacker patterns for Adobe CVEs and propose a more efficient threat-centric remediation approach;

• Present a deep analysis of how vulnerabilities and product weaknesses map to specific classes of threats such as exploits and malware;

• Analyze the coding weaknesses and issues that contribute to the most severe threats and ongoing Adobe product susceptibility.

Our analysis and threat attribution of more than 2,500 Adobe vulnerabilities has clearly revealed Acrobat Reader and Flash as the two of the most vulnerable Adobe software products over the last 20 years. Adobe's 2015 foray into the cloud with Acrobat DC also led to a steep increase in the vulnerability count (a rise of 300 vulnerabilities). While Flash consistently contributed a substantial number of vulnerabilities until 2016 (around 1,300), Adobe has been successful in reducing the overall Flash-related vulnerability count since then. The Importance of Threat-Centric AnalysisWe emphasize the importance of efficient remediation, based on vulnerability lifecycle and threat metrics. In some cases, exploits related to critical exploit kits like Neutrino and Angler have been in the wild for more than a year prior to an associated CVE appearing in the National Vulnerability Database (NVD). We explore such patterns using Time-To-Disclosure (TTD) and Time-to-Weaponize (TTW) metrics and propose an efficient threat-centric remediation approach.

RiskSense Vulnerability Weaponization Insights • April 2019

Executive Summary

Page 1 Spotlight • RiskSense Vulnerability Weaponization Insights

In the figure below, we capture the overall Adobe product vulnerability and threat snapshot with a funnel chart representation. This representation shows vulnerability and threat data in an informative and actionable manner. As we move from left to right, the funnel drills down into successively more granular, and critical, CVEs for remediation. Across the entire set of 2,891 vulnerabilities, 721 vulnerabilities are weaponized with associated threats, either exploit or malware, of which there are 72 CVEs with Remote Code Execution (RCE) type, 191 CVEs with Denial of Service (DoS) type, 65

CVEs with Privilege Escalation (PE) type, 15 CVEs with Web Apps, 14 with exploit kits, and numerous other miscellaneous malware and exploits (primarily Trojan). We reduce our data set further to 152 vulnerabilities by concentrating on critical CVEs associated with RCE, PE, and Web App-based exploits. Last, we arrive at the nine trending¹ vulnerabilities based on threat intelligence collected from the wild. These CVEs should receive immediate attention, as they have the greatest potential for an attack and will greatly improve an organization’s security posture once remediated.

Executive Summary (Continued)


Actionable Funnel for Adobe Vulnerabilities and Threats

2,891

721152

Vulnerabilities

9

Start Here

Critical CVEswith RCE, PE, and Web Appps

Weaponizedwith Exploit/Malware

Total Adobe CVE ID Count CVEs That Matter

TrendingExploit/Malware

¹ Represents trending data for 2018 from RiskSense


Key Insights


Biggest Years for Vulnerabilities: 2015 & 2016Across all years examined, 2015 saw the largest increase year over year for disclosed vulnerabilities, both in terms of total vulnerabilities and high-severity vulnerabilities. The 496 vulnerabilities found in 2015 represented a 256% increase compared to 2014. That figure includes 314 high-severity vulnerabilities, which marks the largest year-over-year growth in Adobe's history. 2016 provided the overall highwater mark for vulnerabilities with a total of 538 of which 480 were high severity.

2018 Was the Biggest Year for WeaponizationWhile the overall number of vulnerabilities in 2018 was down 30.5% compared to the all-time high in 2016, it was by far the most significant year in terms of weaponization. It had the largest number of total weaponized vulnerabilities (177) as well as the highest percentage (47%) of vulnerabilities being weaponized. Even more concerning, 50 of these were weaponized BEFORE a patch was available. This was by far the highest number seen over the course of the report with 2010 taking second place with 18. It will bear close monitoring to see if 2018 is an outlier or part of a more concerning trend.

Buffer Overflow Most Common VulnerabilityAmong all the 2,891 vulnerabilities considered, Buffer Overflow was the most common vulnerability type across all years (1,094 CVEs), distantly followed by Out-of-bounds Read (195 CVEs), and Use After Free (160 CVEs) types.

Acrobat Reader Family Most VulnerableThe Acrobat Reader family of products takes the award for containing the most vulnerabilities (1,338). Particularly introducing 137 vulnerabilities in 2015 with the introduction of Adobe Acrobat DC. Among the 721 unique CVEs having applicable threats, Denial of Service (DoS) is the most prevalent exploit type (applicable to 191 CVEs) for Adobe product-related vulnerabilities followed by Remote Code Execution (applicable to 72 CVEs). This directly correlates with the most prevalent Memory Mismanagement weakness (representing a combination of Buffer Overflow, Out-of-bounds Read, and Use-After Free) introduced by the developers into Adobe products.

Disclosure Latency Not Improving The average disclosure latency between Adobe and the NVD has been inconsistent over all the years. While the NVD did a good job in publishing all Adobe CVEs with no latency for years 2005–2006, all other years did have disclosure latency. Particularly, 2012 being the worst year with 23 days of average vulnerability disclosure latency. The situation hasn’t improved in recent years either, with 2017 and 2018 having 13 and 21 days of average disclosure latency respectively.

Adversaries Take Advantage of Disclosure LatencyAdversaries have taken advantage of disclosure latency by exploiting weaknesses in Flash and Acrobat Reader through exploits that have been converted to notorious exploit kits like Neutrino, RIG, and Angler. Particularly for CVE-2015-8651 and CVE-2016-4117, adversaries were able to propagate the respective exploits in the wild before the vulnerability was publicly disclosed.

Memory Management a Persistent IssueMemory mismanagement is the primary weakness resulting in severe threats for the Acrobat Reader and Flash product families. As we show using our unique threat to weakness to product attribution visualizations, memory management weakness has led to 938 unique vulnerability-exploit pairs and 1,047 unique vulnerability-malware pairs with most of these threats applicable to Acrobat Reader and Flash products.

Managing Latency for Efficient RemediationOur analysis shows that exploits in widely used exploit kits such as Neutrino and Angler were in the wild for more than a year before the associated vulnerability was released. We explore such patterns in detail using Time-To-Disclosure (TTD) and Time-to-Weaponize (TTW) latency metrics and propose an efficient threat-centric remediation approach. This analysis shows that vulnerability scanners alone are not sufficient for defending against all critical Remote Code Execution (RCE) and Privilege Escalation (PE) in Adobe products. As such, organizations should adopt a vulnerability lifecycle approach that includes real-world threat metrics in order to ensure full and efficient remediation.


Executive Summary

Key Insights

1. Data Snapshot and Methodology

2. NVD Disclosure Latency

3. Weaponization Latency Details

4. Overall Vulnerability and Threat Details

5. Vulnerabilities by Weakness

6. Product Details

Conclusion

Appendices

1

3

5

7

9

14

17

21

24

25

Table of Contents



Data SnapshotThe input data set for this analysis includes only CVEs affecting Adobe products which represents a total of 2,891 CVEs. While our primary data source was Adobe's security bulletins and advisories published since 2006, we have also included CVEs published by third parties like scanner KBs, bug bounty programs, vendors (SUSE, Red Hat, Microsoft, etc.), and NVD entries that were not included in Adobe security bulletins and advisories.

Figure 1(a) shows the volume of the data across each year.

Figure 1(a): Overall Data View by Year

CVSS v2: Low/Medium/High with Exploit

1996-200424 CVEs: 3L/9M/12H

6 Threats (25%)

200517 CVEs: 4L/6M/7H

5 Threats (29%)

200634 CVEs: 9L/18M/7H

3 Threats (9%)

200739 CVEs: 0L/27M/12H

14 Threats (36%)

200863 CVEs: 1L/28M/34H

16 Threats (25%)

200999 CVEs: 1L/25M/73H

24 Threats (24%)

2010208 CVEs: 1L/24M/183H

38 Threats (18%)

2011203 CVEs: 0L/36M/167H

16 Threats (8%)

2012149 CVEs: 0L/14M/135H

9 Threats (6%)

2013149 CVEs: 1L/7M/141H

16 Threats (11%)

2015496 CVEs: 1L/66M/429H

176 Threats (35%)

2014139 CVEs: 0L/24M/115H

22 Threats (16%)538 CVEs: 0L/58M/480H

125 Threats (23%)

2016 2017359 CVEs: 0L/99M/260H

74 Threats (21%)

2018 through November

374 CVEs: 0L/253M/121H

177 Threats (47%)

1. Data Snapshot and Methodology



1. Data Snapshot and Methodology (Continued)

Vulnerability Enhancement Methodology For enriched and contextual information around a CVE, we considered the following data from NVD: • CVSS (Common Vulnerability Scoring System): The

CVSS devised by the Forum for Incident Response and Security Teams (FIRST) organization provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The current version of CVSS is 3.0. However, all CVEs do not have a relevant CVSS 3.0 score. Hence, we considered CVSS 2.0 for all CVEs. In all cases, we have evaluated the difference between CVSS 2.0 and 3.0, and have considered only CVEs that have numerical scores from both versions.²

• CPE (Common Platform Enumeration): The CPE is a structured naming scheme for information technology systems, software, and packages that was first developed by MITRE. Currently, NIST manages the CPE libraries and updates to it. CVE to CPE mappings are the primary source we used to map Adobe CVEs to their respective product versions. Since CPE is a machine-understandable format, we have processed CPE strings pertaining to each CVE and further eliminated duplicate CVEs to product mappings. We have cross-verified our CVE to product mappings by comparing them with product details available within Adobe security bulletins and advisories.

• CWE (Common Weakness Enumeration): CWE is a list of common software security weaknesses. It serves as a common language for identifying weaknesses introduced into software through poor programming practices. We have used CVE to CWE mappings to identify the weaknesses related to Adobe CVEs.

Threat Attribution MethodologySince there's no single reliable source to enrich threat context around a CVE, we gathered and processed contextual threat data from several sources on the internet. Some of the primary sources include:

Exploit Frameworks (like Metasploit, Canvas, and Elliot Kit), AlienVault Open Threat Exchange (OTX), SANS

Internet Storm Center, Exploit-DB, Contagiodump, Symantec, Microsoft Threat, IBM X-Force threat intelligence along with several other hacker forums and Twitter feeds. However, the primary limitation of the above approach is that we are limited to considering only those threats that are directly mapped to CVEs. This results in a limited threat landscape since there are always threats targeting different Adobe products that are not mapped to respective CVEs. We address this limitation using our threat knowledge graph model.

In a threat knowledge graph model, we explore the semantic relationships between different security entities and derive inferences from such relationships. Security entities include Indicators of Compromise (IoCs), Indicators of Exploit (IoEs), threat actors, threat campaigns, infrastructure, underlying weakness, threat types, etc. Some examples of the relationships between security entities include: a certain malware (threat type) affects a certain product (infrastructure), a buffer overflow weakness within a product (infrastructure) results in a Denial of Service (DoS) attack (threat type), a certain set of indicators result from a malware (threat type), etc. To be consistent in a machine readable form, all relationships are derived from an ontological model.

The underlying intent of the knowledge graph is to go beyond regular CVE-based threat attribution (i.e., not limit ourselves to gathering only those threats that are mapped to CVEs but create a linkage between openly available threats and target infrastructure, particularly products). We achieve such linkage by applying inferential analysis on our threat knowledge graph. For the scope of this report, we gathered and captured the attributes pertaining to the following in our knowledge graph model: (a) publicly available threats (malware and exploits) from the internet affecting Adobe products (but not directly mapped to specific product versions) and (b) weaknesses in Adobe products. We finally derived relationships between the threats and the precise set of products they affect by subjecting the relationship between their attributes in the knowledge graph through our inferential analysis. We will show in this report how such relationships between weaknesses, threats, and products can be visualized for actionable intelligence.


² FIRST https://www.first.org/


Figure 2(a): Percent of Vulnerabilities for Each Year for Vendor First versus Same Day

The National Vulnerability Database (NVD) feeds CVE entries from MITRE, partner vendors, trusted security researchers and enhances each CVE entry with remedia-tion information, severity scores, impact ratings, vendor name, product name, vulnerability type, etc. This enhanced contextual information around a CVE makes it one of the most reliable sources for consuming CVE data. Hence research teams and infrastructure security teams within organizations rely on the NVD’s CVE feed to stay current on the latest CVEs and their impact informa-tion. However, not all CVEs disclosed by vendors get into the NVD in a timely manner leading to CVE disclosure latency with respect to the NVD release date.

In this section, we present the NVD CVE disclosure latency, i.e., the number of days NVD has waited before publishing a CVE after it was first released by Adobe or another third party vendor. Figure 2(a) shows the percentage of (a) CVEs released by the vendor first and (b) CVEs disclosed by NVD on the same day as vendor release. Across all the years, the NVD did not publish any Adobe-related CVEs before

Adobe or third party vendors. Hence, the NVD first category is eliminated.

Although the NVD did publish CVEs on the same day that Adobe and other third parties released them (thus avoiding CVE disclosure latency), the percentage of such CVEs across the time period is significantly less. The years 1996–2006 are the only exceptions to this trend. During this period, out of the total 75 CVEs released by Adobe, 64 CVEs were published on the same day by the NVD. However, this disclosure efficiency waned in subsequent years.

The percentage of CVEs released by the vendor versus published on the same day by the NVD varies greatly between 2008 and 2018. The top three years with a significant variation are 2010, 2011 and 2018. Each of these years register more than 90% of CVEs experiencing NVD disclosure latency. Particularly, in 2018 among a total of 376 total vulnerabilities released, the NVD published only 10 CVEs on the same day as vendor release day.


2. NVD Disclosure Latency

100

80

60

40

20

0

Vendor First Same Day

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 20171996-2004 2005 2018

Perc

enta

ge o

f CVE

s


Figure 2(b): Adobe to NVD Publication – Average Latency Across all Years

NVD

6

32

5

5 5

137

2

21

15

24 days

2006

2005

1996-2004

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

2017

2018

2 00

We show year over year average disclosure latency in Figure 2(b). Each line represents the average disclosure latency for a given year considering all the vulnerabilities released in that year. For example, among all the Adobe vulnerabilities released in 2008, it took NVD an average of 15 days to disclose the vulnerability details after it was released by Adobe.

2012 was the year with the highest average CVE disclosure latency at 24 days. Despite 2015 and 2016 seeing heavy increase in the number of CVEs disclosed by Adobe, the average CVE disclosure latency from the NVD for those years is only 7 and 6 days respectively. However, looking at the average disclosure latency for years 2017 and 2018 (i.e, 13 and 21 days respectively), it

indicates that the NVD was not able to keep up with the volume and rate of vendor CVE disclosure.

In the following sections we further correlate NVD disclosure latency with weaponization patterns and look at the resulting threat and attack landscape.

While CVE-2012-0771 contributes a whopping 2,197 days to 2012’s average disclosure latency of 24 days, it should be considered an outlier in this case along with CVE-2012-2052 which had 772 days of disclosure latency. The majority of CVEs released in 2012 (135 of 149) have a NVD disclosure latency of less than 5 days, as such, we see CVE-2012-0771 and CVE-2012-2052 contributing heavily to the average for that year.


2. NVD Disclosure Latency (Continued)




In this section, we further expand on the vulnerability disclosure latency by adding threat context to it. We do this by combining vulnerability latency metrics and weaponization states occurring within those latency timelines. We define vulnerability latency metrics as the time latency involved within different stages of a vulnerability’s lifecycle. This lifecycle is defined as the different stages a vulnerability goes through from its inception to its end. We use the following latency definitions for a vulnerability within its life cycle.

1. Time to Disclosure (TTD): This is the time latency between the vulnerability release by vendor or third party, and NVD publication.

2. Time to Weaponize (TTW): This is the time latency between the earliest time a vulnerability is disclosed and the time it is weaponized. Weaponization here refers to publication of exploit code that can be attributed to a given CVE.

3. TTP (Time to Develop Patch): This is the time latency between the earliest vulnerability release and the time at which its patch is released.

We define weaponization states as relationships between the lifecycle stages (i.e., we define weaponization states through the relationship between the vendor's CVE disclosure date, patch/workaround date, exploit weaponization date, and NVD disclosure date). To this end, we use the following weaponization states:

3. Weaponization Latency Details

• Exploit released before NVD publication and before patch release (X < NVD, X < Patch)• Exploit released before NVD publication and after patch release (Patch < X < NVD)• Exploit released after NVD publication and after patch release (NVD < X, Patch < X)• Exploit released after NVD publication and before patch release (NVD < X < Patch)

In figure 3(a), we show the distribution of vulnerabilities with threats across the above-defined weaponization states. Each quadrant represents a weaponization state and each stacked horizontal bar within the quadrant represents the number of weaponized CVEs for that year. The color within each stacked bar represents the number of CVEs corresponding to each CVSS v2 severity level.

Below, we show the actual latency metrics for the CVEs that have been used to create the most prolific threats (exploits, exploit kits, and malware) for Adobe products in the last 20 years.

To try and mitigate latency issues, it’s clear that organizations must make themselves aware of vulnerability data in three places – the vendor’s web site, the NVD, and the data obtained from their vulnerability management program.

Further, to overcome the well-understood limitations of scanners (Appendix B), organizations may consider

adopting a virtual scanning methodology. In virtual scanning, the target software fingerprint is cross checked against product versions (CPEs) and applicable CVEs from Adobe (and other third party) security bulletins and then prioritized for remediation in a timely manner, thereby reducing the dependency on scanning vendors alone while prioritizing critical vulnerabilities.

2. NVD Disclosure Latency (Continued)

Figure 3(a): Weaponization Stages

1 2 3 4 5 6 7 8 9 10 CVSS Rating: 1– 10

Exploit released before NVD publication and before patch release

<NVD, X<X PATCH 138 CVEs

Exploit released before NVD publication and after patch release

< < NVDXPATCH 93 CVEs

< <NVD X PATCHExploit released after NVD publication and before patch release

15 CVEs

Exploit released after NVD publication and after patch release

<NVD X< X, PATCH473 CVEs


3. Weaponization Latency Details (Continued)

• Exploit released before NVD publication and before patch release (X < NVD, X < Patch)• Exploit released before NVD publication and after patch release (Patch < X < NVD)• Exploit released after NVD publication and after patch release (NVD < X, Patch < X)• Exploit released after NVD publication and before patch release (NVD < X < Patch)

In figure 3(a), we show the distribution of vulnerabilities with threats across the above-defined weaponization states. Each quadrant represents a weaponization state and each stacked horizontal bar within the quadrant represents the number of weaponized CVEs for that year. The color within each stacked bar represents the number of CVEs corresponding to each CVSS v2 severity level.

Below, we show the actual latency metrics for the CVEs that have been used to create the most prolific threats (exploits, exploit kits, and malware) for Adobe products in the last 20 years.


Spotlight • RiskSense Vulnerability Weaponization Insights


CVE-2015-8651

12/28/15

NVD1/14/14

CVSS v2 CVSS v3 Adobe Product Threat Details

9.3 Flash Player8.8 Angler exploit kit, Neutrino exploit kit, Nuclear Pack exploit kit, RIG exploit kit

Time to Disclosure (TTD): 0 daysTime to Weaponize (TTW): -713 daysTTP (Time to Develop Patch): 0 day

CVE-2016-4117

5/10/16

NVD1/14/14 5/11/16


10 Flash Player9.8 Angler exploit kit, Magnitude exploit kit, Neutrino exploit kit, RIG exploit kit

Time to Disclosure (TTD): -1 daysTime to Weaponize (TTW): -847 daysTTP (Time to Develop Patch): 0 day

12/10/15

NVD12/8/15

CVE-2015-8446

12/20/15CVSS v2 CVSS v3 Adobe Product Threat Details

NA Flash Player9.3 Angler exploit kit


3/10/16

NVDCVE-2016-1010


10 Flash Player9.8 Angler exploit kit


The most alarming weaponization pattern is X < NVD, X < Patch, where the exploit for the CVE was released before it was published in the NVD and an official patch was released. There are a total of 138 CVEs falling into this category. Looking deeper, we can observe that the count of the CVEs following this weaponization pattern

increased in 2018 with more than 45 CVEs subjected to weaponization before they appear in the NVD and a corresponding patch was released. This indicates that adversaries are actively targeting Adobe products and further taking advantage of the disclosure and weaponization latencies to propagate their attacks.

High-Severity Vulnerabilities Timeline

NVD Release Date

Exploit Release Date

Patch Release Date

Earliest CVE Release Date

NVD

Vulnerability Lifecycle Metrics Mapped to Threats (Reverse-Chronological Order)


Spotlight • RiskSense Vulnerability Weaponization Insights


NVD Release Date


Patch Release Date


NVD

CVE-2010-2883

10/5/10

NVD9/9/109/8/105/28/09


NA Acrobat Reader9.3 Winnti backdoor, Whalfrost backdoor, Tapaoux trojan, Sprayload trojan


CVE-2010-1297

6/4/10

NVD6/8/102/26/08


NA Flash Player9.3 Sprayload trojan, Pidief trojan,


CVE-2015-7645

10/14/15

NVD10/12/15 10/15/15


NA Flash Player9.3 Angler exploit kit, Hunter exploit kit, Magnitude exploit kit, Neutrino exploit kit, Nuclear Pack exploit kit, RIG exploit kit, Spartan exploit kit


CVE-2010-0188

2/16/10

NVD2/22/102/26/08


NA Acrobat Reader9.3 Neutrino exploit kit, Neclu exploit kit, Pdfjsc exploit, Bloodhound exploit, Pidief trojan,Protucs backdoor


CVE-2013-0634

2/7/13

NVD2/8/13


NA Flash Player9.3 Axpergle exploit, Pangimop exploit, RIG exploit kit, Magnitude exploit kit

Time to Disclosure (TTD): -1 daysTime to Weaponize (TTW): 0 daysTTP (Time to Develop Patch): 0 day


NVD Release Date


Patch Release Date


NVD



10/04/02NVD

CVE-2002-1019


10 Flash Player9.8 Magnitude exploit kit, Neutrino exploit kit, Nuclear Pack exploit kitTime to Disclosure (TTD): 0 days

Time to Weaponize (TTW): 4120 daysTTP (Time to Develop Patch): 0 day

CVE-2009-4324

1/12/10

NVD12/14/0912/4/095/28/09


NA Acrobat Reader9.3 Pdfka exploit, Pdfjsc exploit, Blacole exploit kit, Protucs backdoor, Whalfrost backdoor, Zeroaccess trojan


CVE-2009-0927NVD

3/19/098/6/08 3/18/09CVSS v2 CVSS v3 Adobe Product Threat Details

NA Acrobat Reader9.3 Pidief exploit, Bloodhound exploit



Vulnerability & Threat Details by YearWe start by providing an initial overview of the vulnerabilities and threats revealed over the years. Figure 4(a) shows the volume of vulnerabilities pertaining to Adobe products released between August 1996 and November 2018. It can be quickly observed that the volume of vulnerabilities has steadily increased from 1996 to 2010 and experienced a slight decline in 2012 and then remained steady until 2014. 2015 saw a steep increase in the number of vulnerabilities disclosed compared to the previous year. In 2014, the total number of vulnerabilities disclosed was 139, rising to 499 in 2015, (i.e., a 3.5x increase from 2014). We see a slight increase in the numbers going into 2016 (i.e., by 39 CVEs). While the total number of vulnerabilities disclosed in 2017 fell compared to 2016 by 179 CVEs, the total count was still significantly higher than the pre-2015 period. This shows a unique pattern of a steep increase in the vulnerabilities disclosure for Adobe products post-2015. So, what contributed to this spike post-2015? Is it any abnormal weaknesses introduced into Adobe products and which products were affected by this increase in vulnerability numbers? We will find out later in sections 5 and 6.

The overall vulnerabilities with threats over the years follow a different pattern than the number of vulnerabilities released. We look at this data from two perspectives, pre-2015 and post-2015, since we observed a significant spike in the number of vulnerabilities post-2015.

During the pre-2015 period, the percentage of vulnerabilities with threats compared to the total number of vulnerabilities has varied significantly between 1996–2014 ranging from as low as 6% of CVEs in 2012 (i.e., 9 out of total 149 CVEs) to 35% in 2007 (i.e., 14 CVEs out of 39 CVEs). During the post-2015 period, the percentage of vulnerabilities with threats compared to the total vulnerabilities rose sharply in 2015 with 35% of the vulnerabilities having threats (i.e., 176 CVEs out of 499 CVEs) and reached an all time peak in 2018 with 47% of vulnerabilities released in that year having threats (i.e., 177 CVEs out of total 376 CVEs).

The overall count of vulnerabilities disclosed and vulnerabilities with threats can be divided into two time periods, pre-2015 and post-2015. 2015 saw the highest spike in terms of vulnerabilities disclosed over the previous year, i.e., an increase of 360 total vulnerabilities.

2018

376

177

2017

359

74

2016

538

125

2015

499

176

2014

139

22

2013

149

16

2012

149

9

2011

203

16

2010

208

38

2009

99

24

2008

63

16

2007

39

14

2006

34

3

2005

175

1996-2004

246

CVEs Threats Figure 4(a): Number of CVEs and Threats Related to Adobe Products Over all Years

2018 saw the highest number of vulnerability to threat ratio,

47% (i.e., the percentage of vulnerabilities released in 2018 that have associated threats, 177 out of 376 total CVEs).

This section presents the overall vulnerability and threat statistics and patterns. We primarily focus on high-level details like the number of vulnerabilities released over the years, their severity distributions, and a high-level view of threats applicable to vulnerabilities over the years and their distribution within the CVSS severity levels.


4. Overall Vulnerability and Threat Details


0 100 200 300 400 500 600

LowMediumHigh

Let's take a deeper look at the severity distribution of vulnerabilities under consideration. The CVSS v2 and v3 distributions are shown in Figures 4(b) and 4(c) respectively. As mentioned above, the severity is derived by mapping the vulnerabili-ties to their CVSS rating. We will look at the high-severity vulnerability ratio using CVSS v2 with respect to pre- and post-2015 vulnerability disclo-sure and see the correlation between high-severity vulnerabilities and total vulnerabilities (i.e., the high severity to total vulnerability ratio). From figure 4(b), it can be observed that at least 80% of all vulnerabilities released between 2010 and 2015 are high-severity vulnerabilities. Particu-larly, 2012 and 2013 seeing 90% of high-severity vulnerabilities among the total vulnerabilities released. In 2012, 135 out of 149 and in 2013, 141 out of 149 are high-severity vulnerabilities. Does this upward trend of increase in high-severity vulnerabilities continue post-2015?

2015 and 2016 see a decline in the ratio of high severity to total number of vulnerabilities (i.e., close to 85%). In 2015, 429 out of 496 vulnerabili-ties are high severity and in 2016, 480 out of 538 are of high severity. This decline in high-severity vulnera-bilities to total vulnerabilities ratio continues into 2017 and 2018. In

2018, only 32% of total vulnerabilities are high-severity vulnerabilities, i.e., 121 vulnerabilities out of the total 374.

Though the total number of vulnerabilities disclosed has increased post-2015, the high severity to total vulnerabilities ratio has decreased during this period when compared to pre-2015 time period.

Figure 4(c) shows the vulnerability severity distribution based on CVSS v3 scoring mechanism. We have included CVSS v3 scores from the time that CVSS v3 was formalized, June of 2015. A shift to higher severity can be observed over the years between CVSS v2 and v3 (i.e., high-severity vulnerabilities are categorized into critical severity buckets and medium-severity vulnerabilities are categorized into high severity). This is further observed in figure 4(d).

Figure 4(d) shows the distribution of vulnerabilities across all severity levels in CVSS v2 and v3. We considered CVEs having both CVSS v2 and v3 scores and compared their severity distribution across all severity levels. The severity shift to higher severity is more evident here. Almost 36% of the high severity items were re-categorized as critical vulnerabilities. Similarly,

approximately 50% of medium severity vulnerabilities using CVSS v2 were re-categorized as high severity using CVSS v3.

Does the decrease in the number of high-severity vulnerabilities imply a decrease in threats or does high and critical severity only matter while addressing threats? Let us look at that now.


4. Overall Vulnerability and Threat Details (Continued)

Figure 4(b): High, Medium and Low Severity Vulnerabilities Over all Years Using CVSS v2

1996–2004

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

2017

2018

Figure 4(c): High, Medium, and Low Severity Vulnerabilities Over the Years Using CVSS v3Critical High Medium Low

2015

2016

2017

2018

0 100 200 300 400 500 600


Let's take a deeper look at the severity distribution of vulnerabilities under consideration. The CVSS v2 and v3 distributions are shown in Figures 4(b) and 4(c) respectively. As mentioned above, the severity is derived by mapping the vulnerabili-ties to their CVSS rating. We will look at the high-severity vulnerability ratio using CVSS v2 with respect to pre- and post-2015 vulnerability disclo-sure and see the correlation between high-severity vulnerabilities and total vulnerabilities (i.e., the high severity to total vulnerability ratio). From figure 4(b), it can be observed that at least 80% of all vulnerabilities released between 2010 and 2015 are high-severity vulnerabilities. Particu-larly, 2012 and 2013 seeing 90% of high-severity vulnerabilities among the total vulnerabilities released. In 2012, 135 out of 149 and in 2013, 141 out of 149 are high-severity vulnerabilities. Does this upward trend of increase in high-severity vulnerabilities continue post-2015?

2015 and 2016 see a decline in the ratio of high severity to total number of vulnerabilities (i.e., close to 85%). In 2015, 429 out of 496 vulnerabili-ties are high severity and in 2016, 480 out of 538 are of high severity. This decline in high-severity vulnera-bilities to total vulnerabilities ratio continues into 2017 and 2018. In

2018, only 32% of total vulnerabilities are high-severity vulnerabilities, i.e., 121 vulnerabilities out of the total 374.

Though the total number of vulnerabilities disclosed has increased post-2015, the high severity to total vulnerabilities ratio has decreased during this period when compared to pre-2015 time period.

Figure 4(c) shows the vulnerability severity distribution based on CVSS v3 scoring mechanism. We have included CVSS v3 scores from the time that CVSS v3 was formalized, June of 2015. A shift to higher severity can be observed over the years between CVSS v2 and v3 (i.e., high-severity vulnerabilities are categorized into critical severity buckets and medium-severity vulnerabilities are categorized into high severity). This is further observed in figure 4(d).

Figure 4(d) shows the distribution of vulnerabilities across all severity levels in CVSS v2 and v3. We considered CVEs having both CVSS v2 and v3 scores and compared their severity distribution across all severity levels. The severity shift to higher severity is more evident here. Almost 36% of the high severity items were re-categorized as critical vulnerabilities. Similarly,

approximately 50% of medium severity vulnerabilities using CVSS v2 were re-categorized as high severity using CVSS v3.

Does the decrease in the number of high-severity vulnerabilities imply a decrease in threats or does high and critical severity only matter while addressing threats? Let us look at that now.

1000

800

600

400

200

0

CVSS v3 CVSS v2

Critical High Medium Low

Figure 4(d): CVSS v2 versus v3 Severity Distribution


4. Overall Vulnerability and Threat Details (Continued)

Figure 4(e) shows the CVSS v2 and v3 distribution of CVEs having threats. CVEs with threats are primarily catgorized under high and critical severity under CVSS v3 and high and medium severity under CVSS v2. This again shows the shift towards high severity for CVEs with threats. An exception occurs for CVEs released in 2018 where around 150 medi-um-severity vulnerabilities using CVSS v2 have threats, out of which 80 have been categorized as high severity using CVSS v3. This emphasizes the importance given to threat context within CVSS v3 methodology. Particularly, with respect to the scope and authentication attributes having more granular details in CVSS v3 methodology. For example, in the CVSS v3 methodology a Remote Code Execution (RCE) can be characterized by a change in Scope as well as no User Interaction needed, and possibly low Privilege Required, which was not possible in CVSS v2.

Critical High Medium Low Figure 4(e): CVSS v2 versus v3 Threat Distribution

0 100 200

1996–2004

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

2017

2018

0100200300 300

V3 SEVERITY V2 SEVERITY


CWE Title CWE ID No. CVEs

CWE-119

CWE-125

CWE-416

CWE-200

CWE-264

CWE-79

CWE-20

CWE-189

CWE-787

CWE-94

CWE-399

CWE-284

CWE-704

CWE-352

CWE-502

CWE-190

CWE-476

CWE-823

CWE-426

CWE-611

CWE-22

CWE-362

CWE-918

CWE-16

CWE-255

CWE-415

CWE-129

CWE-942

CWE-428

CWE-824

CWE-310

CWE-287

CWE-295

CWE-78

CWE-191

CWE-59

CWE-427

CWE-434

CWE-805

CWE-837

CWE-732

CWE-203

CWE-208

CWE-77

CWE-277

CWE-778

CWE-601

CWE-843

1094

195

160

122

118

101

87

70

57

56

52

36

21

11

8

8

7

7

5

5

4

4

4

3

3

3

3

3

3

2

2

2

2

2

2

2

2

2

1

1

1

1

1

1

1

1

1

1

Buffer Overflow

Out-of-bounds Read

Use After Free

Information Exposure

Improper Access Control

XSS

Improper Input Validation

Numeric Errors

Buffer Overflow

Injection

Resource Mis-Management


Incorrect Type Conversion

Cross-Site Request Forgery (CSRF)

Deserialization of Untrusted Data

Integer Overflow

Null Pointer Dereference

Out-of-range Pointer Offset

Untrusted Search Path

XXE

Path Traversal

Race Condition

Server-Side Request Forgery (SSRF)

Configuration

Credentials Management

Double Free

Improper Validation of Array Index

Overly Permissive Cross-domain Whitelist

Unquoted Search Path or Element

Access of Uninitialized Pointer

Cryptographic Issues

Improper Authentication

Improper Certificate Validation

Injection

Integer Underflow

Link Following

Uncontrolled Search Path Element

Unrestricted File Upload

Buffer Access with Incorrect Length Value

Improper Enforcement of a Single, Unique Action

Incorrect Permission Assignment for Critical Resource



Injection

Insecure Inherited Permissions

Insufficient Logging

Open Redirect

Type Confusion

Table 5(a): Vulnerability Types of CVEs Mapped to CWEs


5. Vulnerabilities by Weakness

In this section we enumerate the weaknesses that have introduced vulnerabilities across all Adobe products. We further correlate the weaknesses to relative threats associated with the vulnerabilities. The vulnerability weakness types are identified by processing CVE to CWE mappings.

Table 5(a) shows the list of all distinct weaknesses and their composition across the total vulnerabilities with the available CWE mappings.

Buffer Overflow weakness takes the top rank with its applicability to 1,094 CVEs, followed by Out-of-bounds Read weakness affecting 195 CVEs, and Use After Free comes in third affecting 160 CVEs.

At their core, the top three software weaknesses within 50% of CVEs affecting Adobe products belong to the memory management category. This indicates implementation of poor memory management techniques as part of the software development involving Adobe products.


CWE-416

CWE-787 CWE-399CWE-125 CWE-189 CWE-837

CWE-94CWE-200 CWE-264 CWE-79 CWE-203 CWE-208CWE-119 CWE-20

Figure 5(b): Top 3 Vulnerability Types Over All Years

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2002

Figure 5(a): Top 5 Vulnerability Types by High Severity

Improper Access Control (CWE-264)

Use After Free (CWE-416)

Numeric Errors (CWE-189)

Improper Input Validation (CWE-20) 3%

4%

8%

64% Buffer Overflow (CWE-119)6%

We will delve deeper into the weakness statistics. Specifically, we will see the weaknesses primarily contributing to the high-severity vulnerabilities which range from 7.0-10.0 CVSS v2 score. Figure 5(a) shows the weaknesses contributing to high-severity vulnerabilities. As expected, Buffer Overflow takes the top position affecting 64% of the vulnerabilities (i.e.,1079 CVEs). Correlating this against weaknesses across all vulnerabilities in table 5(a), it can be observed that almost all of the Buffer Overflow weaknesses are resulting in high-severity CVEs. Other weaknesses contributing to the high-severity vulnerabilities are Use After Free affecting 140 high-severity CVEs and Improper Access Control affecting 118 high-severity CVEs.


5. Vulnerabilities by Weakness (Continued)

Vulnerability Weaknesses Over All YearsFigure 5(b) shows the top 3 vulnerability weakness types contributing to each year. It can be observed that Buffer Overflow weakness, CWE-119, contributes to the highest number of weaknesses consistently from year 2007 until 2018 contributing to 129 and 269 CVEs in 2015 and 2016 respectively. In other words, Buffer Overflow weakness contributed to the spike in the increase of vulnerabilities disclosed in 2015 and 2016 that we referenced previously.


³ https://cwe.mitre.org/data/definitions/700.html

Table 5(b): Programming Errors Mapped to Vulnerability Types

Vulnerability Type Programming Practice

Buffer Overflow

Out-of-bounds Read

Use After Free



Input Validation and Representation

Input Validation and Representation

Code Quality

Encapsulation

Security Features

Figure 5(c): CWE to Threat Type Mappings



Now, let's look at the coding errors that have actually introduced these weaknesses into Adobe products. We use the Seven Pernicious Kingdoms³ (7PK) taxonomy for this. The 7PK taxonomy is a simple taxonomy that organizes coding errors, helping developers to recognize the categories of problems leading to security vulnerabilities. The taxonomy also helps developers identify existing errors while designing and developing software. Table 5(b) shows the mapping between the

prevalent weaknesses in Adobe-related vulnerabilities to relevant coding errors using the 7PK taxonomy.

From Figure 5(c), it can be observed that the top three weaknesses that contribute to the total exploit instances are CWE-119 (Buffer Overflow), CWE-416 (Use After Free) and CWE-94 (Injection). Together, these weaknesses contribute to 938 unique vulnerability-exploit pairs. Buffer Overflow weakness has been exploited in 247 unique CVEs, resulting in 673 unique vulnerability-exploit pairs. Similarly, the Use After Free weakness has been exploited in 43 unique CVEs, resulting in 212 vulnerability-exploit pairs and the Injection weakness has been exploited in 9 unique CVEs, resulting in 53 unique vulnerability-exploit pairs.

We show the relationship between the weakness and threat categories in Figure 5(c) and further expand this to different threat types in Figure 5(d).


Weaknesses to ThreatsWe will now identify the relationship between the underlying weaknesses and threat categories of exploit and malware. Threat authors take advantage of underlying vulnerabilities in software to successfully execute their exploits or malicious code. Such vulnerabilities are introduced due to weaknesses resulting from poor coding practices. Therefore, a relationship between the weaknesses and correlated threats can be established by pivoting on the underlying vulnerability.

It can be observed that CWE-125 (Out-of-bounds Read) is the primary contributor to Trojan type malware, followed by CWE-119 (Buffer Overflow). Further, the Buffer Overflow weakness is also a contributor to DoS, RCE, and PE threat types. We have already established above how the increase in the Buffer Overflow weakness-based vulnerabilities have contributed to the steep rise in the total number of vulnerabilities. Here, by showing their

relationship to the threat types, it can be inferred that the Buffer Overflow weakness introduced the highest number of multiple threat types to Adobe products like DoS, RCE, PE-based exploits, and Trojan malware. In the next section, we will see which Adobe products are most affected by these combinations of weaknesses and threats.



The top 3 weaknesses contributing to the malware category are: CWE-125 (Out-of-bounds Read), CWE-119 (Buffer Overflow), and CWE-399 (Resource Mismanagement). Together, the above weaknesses contribute to 1,047 unique vulnerability-malware pairs. The Out-of-bounds Read weakness has been exploited in 109 unique vulnerabilities, resulting in 905 unique vulnerability-malware pairs. The Buffer Overflow weakness has been exploited in 7 unique CVEs, resulting in 117 unique CVE-malware pairs. The Resource Mismanagement weakness has been exploited in 5 unique CVEs resulting in 25 unique CVE-malware pairs.

Figure 5(d): CWE to Threat Category Mappings

We will delve deep into the correlation between weaknesses and threat types, i.e., the exploit and malware types. Figure 5(d) depicts this relationship where the weaknesses are mapped to applicable threat types. As explained in the methodology section above, the threat type labeling is derived from several attributes of a given exploit code or malware. The exploit category is further labelled as RCE, DoS, Web Apps, and PE threat types and the malware category is further labelled as Trojan, Exploit Kits, and Ransomware. Wherever threat type labelling was not possible due to lack of sufficient quality data, the threat type is retained as either malware or exploit.


Figure 6(a): Top 5 Products Contributing to the Overall Vulnerability Count

Figure 6(b): Top 5 Products Contributing to the High-Severity Vulnerabilities

Adobe Acrobat Reader42%

Flash Player41%

Shockwave Player7%

Digital Editions

1%

Photoshop

1%

In this section, we will review the products contributing to Adobe-related vulnerabilities over all the years. Specifically, we look at the product families that are contributing to these vulnerabilities. Though Adobe has an extensive lineup of products, there are two major families under which most of their products can be categorized: the Acrobat/Reader family and the Flash family. All products within each family are susceptible to the same set of CVEs since they use the same underlying code constructs and architecture. For example, Adobe Reader and Acrobat are vulnerable to same set of CVEs since they are built on the same platform. When a certain product of a family has CVEs specific to it, we have attributed those CVEs to that product alone while other CVEs that are common to all products in the family are attributed to the entire family.

Let's begin by looking at the top 5 products contributing to the overall vulnerability count over the years, shown in Figure 6(a). The top two contributors are the Acrobat/Reader and Flash products. Together they contribute to nearly 80% (2,421) of all Adobe vulnerabilities. Acrobat/Reader contributes 1,338 vulnerabilities while the Flash Player contributes 1,083 vulnerabilities.


6. Product Details

The top 5 products contributing to the high-severity vulnerabilities are shown in figure 6(b). The order between the products contributing to the overall vulnerability count and the high-severity vulnerability count remains the same for the top 4 products, i.e., Adobe Acrobat and Reader with 983 CVEs, Flash Player with 953 CVEs, Shockwave Player with 167 CVEs and Digital Editions with 27 CVEs. Photoshop takes the fifth position for having most number of high-severity vulnerabilities with a count of 25 CVEs.

Acrobat/Reader and Flash products are the highest contributors to the total vulnerability count and high-severity vulnerability count. Together they contributed 2,421 vulnerabilities to the total count and 1,936 to the high-severity count across all the years.

Figure 6(c) shows the top 3 products contributing to the overall vulnerability count. As expected, Acrobat/Reader and Flash products take the lead over all years. Further, a leap in the overall vulnerability count in 2015 and beyond can be attributed to these two products. Especially Acrobat/Reader which has 137, 227, 211, and 289 vulnerabilities from 2015–2018, respectively. Though Flash also has high vulnerability counts across 2015–2018 (338, 257, 70, and 24 CVEs respectively), it

can be observed that Flash product vulnerabilities are decreasing rapidly since 2017. This is most likely due to online content media moving away from Flash as a delivery mechanism, thus making it a less attractive target for malicious hackers. Additionally, this reduction in Flash’s vulnerability count does not necessarily mean that it's becoming more secure. Note that Flash still has critical vulnerabilities that have been used in propagating Exploit Kits in 2017 and 2018.

Adobe Acrobat Reader44%

Flash Player35%

Shockwave Player6%

ColdFusion3%

Digital Editions

2%


Adobe's introduction of Acrobat DC in 2015 is the key contributor to the increase in Acrobat product vulnerabilities. This indicates that Adobe’s venture into cloud-based product delivery did not have sufficient application threat modeling in place during the product’s design and development phases.

We will now map the threat to weakness pairs shown in previous sections to their respective Adobe products.

Figure 6(d) illustrates this relationship. We show how each product is susceptible to certain threats due to the weaknesses introduced during their development. While Out-of-bounds Read (CWE-125) is the key weakness in Acrobat/Reader, Buffer Overflow (CWE-119) takes the top spot for the Flash product. The figure also shows the resulting threat types from such weaknesses introduced into each product line. Especially, exploit kits targeting Flash products are often made possible by the

In this report we have analyzed Adobe product-related vulnerabilities over the last 20 years, their likely causes, and how they have resulted in threats in the real world. This analysis clearly highlights the importance of evaluating vulnerabilities in the context of weaponization. We have seen that large numbers of vulnerabilities do not always translate to real-world threats. Conversely, the data shows that years with fewer vulnerabilities can result in more overall weaponization and risk for the enterprise. As such, an up-to-date view of vulnerability weaponization is essential for making good information security decisions and prioritizing an organization’s efforts.

Our analysis of vulnerability lifecycle metrics like TTD, TTW, and TTP emphasizes the need a timely threat-centric remediation approach. This is especially important, considering the time latency between vulnerability disclosure, weaponization, and patch times. Such a threat-centric approach can allow organizations to stay ahead of the threats that pose the greatest risk.

Finally, we have enumerated the software weaknesses that are responsible for vulnerabilities in Adobe products and how these weaknesses ultimately map to threats in the wild. These insights should be valuable to all developers, and further highlight the criticality of secure coding and development practices.

We ultimately hope that this long-term, lifecycle view of vulnerabilities leads to more secure products and more secure organizations. Product development, vulnerability discovery and reporting, and threat weaponization all come together to ultimately define an organization’s risk. While Adobe products are only a slice of an organization’s software footprint, we hope that this analysis provides a model that can extend to all enterprise software and assets.

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

2017

2018

100 200 250150500

Acrobat ReaderColdfusion

Flash Player

8

257

211

33

Flash PlayerAcrobat Reader

Acrobat ReaderFlash PlayerColdFusion

Acrobat ReaderFlash Player

Flex


Shockwave Player


Shockwave Player


Shockwave Player

Acrobat ReaderFlash PlayerColdFusion

Flash PlayerAdobe Reader

ColdFusion


ColdFusion


Experience Manager


Digital Editions


ColdFusion

300

1996-2004

2005

Adobe ReaderAdobe Content Server

Digital Editions

Acrobat ReaderFlash PlayerVersion Cue

316

2

833

77

1310

2020

5

5023

13

9160

52

11863

56

6842

28

6756

13

8042

5

137338

6

22713

70

22924

14

350

Figure 6(c): Top 3 Products Contributing to the Vulnerabilities Each Year

In this section, we will review the products contributing to Adobe-related vulnerabilities over all the years. Specifically, we look at the product families that are contributing to these vulnerabilities. Though Adobe has an extensive lineup of products, there are two major families under which most of their products can be categorized: the Acrobat/Reader family and the Flash family. All products within each family are susceptible to the same set of CVEs since they use the same underlying code constructs and architecture. For example, Adobe Reader and Acrobat are vulnerable to same set of CVEs since they are built on the same platform. When a certain product of a family has CVEs specific to it, we have attributed those CVEs to that product alone while other CVEs that are common to all products in the family are attributed to the entire family.

Let's begin by looking at the top 5 products contributing to the overall vulnerability count over the years, shown in Figure 6(a). The top two contributors are the Acrobat/Reader and Flash products. Together they contribute to nearly 80% (2,421) of all Adobe vulnerabilities. Acrobat/Reader contributes 1,338 vulnerabilities while the Flash Player contributes 1,083 vulnerabilities.


6. Product Details (Continued)

The top 5 products contributing to the high-severity vulnerabilities are shown in figure 6(b). The order between the products contributing to the overall vulnerability count and the high-severity vulnerability count remains the same for the top 4 products, i.e., Adobe Acrobat and Reader with 983 CVEs, Flash Player with 953 CVEs, Shockwave Player with 167 CVEs and Digital Editions with 27 CVEs. Photoshop takes the fifth position for having most number of high-severity vulnerabilities with a count of 25 CVEs.

Acrobat/Reader and Flash products are the highest contributors to the total vulnerability count and high-severity vulnerability count. Together they contributed 2,421 vulnerabilities to the total count and 1,936 to the high-severity count across all the years.

Figure 6(c) shows the top 3 products contributing to the overall vulnerability count. As expected, Acrobat/Reader and Flash products take the lead over all years. Further, a leap in the overall vulnerability count in 2015 and beyond can be attributed to these two products. Especially Acrobat/Reader which has 137, 227, 211, and 289 vulnerabilities from 2015–2018, respectively. Though Flash also has high vulnerability counts across 2015–2018 (338, 257, 70, and 24 CVEs respectively), it

can be observed that Flash product vulnerabilities are decreasing rapidly since 2017. This is most likely due to online content media moving away from Flash as a delivery mechanism, thus making it a less attractive target for malicious hackers. Additionally, this reduction in Flash’s vulnerability count does not necessarily mean that it's becoming more secure. Note that Flash still has critical vulnerabilities that have been used in propagating Exploit Kits in 2017 and 2018.

Buffer Overflow weakness. Further, the Buffer Overflow weakness is responsible for the majority of RCE. To summarize, Flash products have the Buffer Overflow weakness that has led to DoS and RCE-based threats.










6. Product Details (Continued)

Figure 6(d): Products Mapped to Threats and Vulnerability Types



Conclusion











YEAR TOTAL COUNT LOW MEDIUM HIGH THREATS

TOTAL

2005

1996-2004

2008

2009

2010

2011

2012

2013

2014

2015

2016

2017

2018

2006

2007

24

17

63

99

208

203

149

149

139

496

538

359

374

2891

34

39

9

6

28

25

24

36

14

7

24

66

58

99

253

694

18

27

12

7

34

73

183

167

135

141

115

429

480

260

121

2176

7

12

6

5

16

24

38

16

9

16

22

176

125

74

177

721

3

14

3

21

1

1

1

0

0

1

0

1

0

0

0

9

0


Appendix A

Total number of vulnerabilities by year categorized by their severity.


Nessus Nexpose Qualys

CVE-1999-0133

CVE-1999-1576

CVE-2000-0713

CVE-2001-1069

CVE-2002-0030

CVE-2002-1016

CVE-2002-1017

CVE-2002-1018

CVE-2002-1019

CVE-2002-1020

CVE-2002-1601

CVE-2002-1764

CVE-2003-0142

CVE-2003-0284

CVE-2003-0508

CVE-2004-0194

CVE-2004-0629

CVE-2004-0632

CVE-2004-1153

CVE-2004-1598

CVE-2005-0035

CVE-2005-0151

CVE-2005-0492

CVE-2005-0918

CVE-2005-1307

CVE-2005-1347

CVE-2005-1842

CVE-2005-1843

CVE-2005-4708

CVE-2006-0525

CVE-2006-1628

CVE-1999-0133

CVE-2001-1069

CVE-2002-1016

CVE-2002-1017

CVE-2002-1018

CVE-2002-1019

CVE-2002-1020

CVE-2002-1601

CVE-2002-1764

CVE-2003-0508

CVE-2003-1017

CVE-2005-0151

CVE-2005-0918

CVE-2005-1307

CVE-2005-1347

CVE-2005-1842

CVE-2005-1843

CVE-2005-3525

CVE-2005-4708

CVE-2006-0525

CVE-2006-1182

CVE-2006-1627

CVE-2006-1628

CVE-2006-1785

CVE-1999-0133

CVE-1999-1576

CVE-2000-0713

CVE-2001-1069

CVE-2002-0030

CVE-2002-1016

CVE-2002-1017

CVE-2002-1018

CVE-2002-1019

CVE-2002-1020

CVE-2002-1601

CVE-2002-1764

CVE-2003-0142

CVE-2003-0284

CVE-2003-0434

CVE-2003-0508

CVE-2003-1017

CVE-2004-0630

CVE-2004-0631

CVE-2004-1152

CVE-2005-0151

CVE-2005-0918

CVE-2005-1307

CVE-2005-1347

CVE-2005-1841

CVE-2005-1842

CVE-2005-1843

CVE-2005-3525

CVE-2005-3591

CVE-2005-4708

CVE-2006-0525

CVE-2006-1182

CVE-2006-1627

CVE-2006-1628


CVE-2006-2042

CVE-2006-3452

CVE-2006-4726

CVE-2006-5549

CVE-2006-5859

CVE-2006-5860

CVE-2006-6482

CVE-2007-1278

CVE-2007-1279

CVE-2007-1280

CVE-2007-1377

CVE-2007-2244

CVE-2007-2365

CVE-2007-2682

CVE-2007-3640

CVE-2007-5169

CVE-2007-5905

CVE-2007-5941

CVE-2007-6253

CVE-2008-0642

CVE-2006-1786

CVE-2006-1787

CVE-2006-1788

CVE-2006-2042

CVE-2006-3978

CVE-2006-3979

CVE-2006-4724

CVE-2006-4725

CVE-2006-4726

CVE-2006-5199

CVE-2006-5200

CVE-2006-5549

CVE-2006-5856

CVE-2006-5858

CVE-2006-5859

CVE-2006-5860

CVE-2006-6482

CVE-2006-6483

CVE-2007-0103

CVE-2007-0817

CVE-2007-1278

CVE-2007-1279

CVE-2007-1280

CVE-2007-1377

CVE-2007-1874

CVE-2007-2244

CVE-2007-2365

CVE-2007-2682

CVE-2007-3101

CVE-2007-3640

CVE-2007-4651

CVE-2007-5169

CVE-2007-5394

CVE-2007-5905

CVE-2007-5941

CVE-2007-6021

CVE-2007-6148

CVE-2007-6149

CVE-2007-6253

CVE-2007-6431

CVE-2007-6432

CVE-2008-0642

CVE-2006-1786

CVE-2006-1787

CVE-2006-1788

CVE-2006-2042

CVE-2006-3978

CVE-2006-3979

CVE-2006-4724

CVE-2006-4725

CVE-2006-4726

CVE-2006-5199

CVE-2006-5200

CVE-2006-5549

CVE-2006-5859

CVE-2006-5860

CVE-2006-6482

CVE-2007-0103

CVE-2007-1199

CVE-2007-1278

CVE-2007-1279

CVE-2007-1280

CVE-2007-1377

CVE-2007-1874

CVE-2007-2682

CVE-2007-3101

CVE-2007-3640

CVE-2007-4651

CVE-2007-5169

CVE-2007-5394

CVE-2007-5905

CVE-2007-5941

CVE-2007-6021

CVE-2007-6148

CVE-2007-6149

CVE-2007-6253

CVE-2007-6431

CVE-2007-6432

CVE-2008-0642


CVE-2008-0643

CVE-2008-0644

CVE-2008-1201

CVE-2008-1202

CVE-2008-1203

CVE-2008-1656

CVE-2008-1765

CVE-2008-3515

CVE-2008-3516

CVE-2008-3961

CVE-2008-4071

CVE-2008-4473

CVE-2008-4831

CVE-2008-5109

CVE-2008-5331

CVE-2008-6062

CVE-2009-0524

CVE-2009-1877

CVE-2009-1878

CVE-2009-1879

CVE-2009-2186

CVE-2009-3467

CVE-2009-4764

CVE-2010-0185

CVE-2010-0378

CVE-2008-0643

CVE-2008-0644

CVE-2008-1201

CVE-2008-1202

CVE-2008-1203

CVE-2008-1656

CVE-2008-1765

CVE-2008-2640

CVE-2008-2991

CVE-2008-3515

CVE-2008-3516

CVE-2008-3961

CVE-2008-4071

CVE-2008-4473

CVE-2008-4831

CVE-2008-5108

CVE-2008-5109

CVE-2008-5331

CVE-2008-5364

CVE-2008-6062

CVE-2009-0523

CVE-2009-0524

CVE-2009-1365

CVE-2009-1872

CVE-2009-1873

CVE-2009-1874

CVE-2009-1875

CVE-2009-1876

CVE-2009-1877

CVE-2009-1878

CVE-2009-1879

CVE-2009-2186

CVE-2009-2265

CVE-2009-3068

CVE-2009-3467

CVE-2009-3489

CVE-2009-3791

CVE-2009-3792

CVE-2009-3952

CVE-2009-4195

CVE-2009-4764

CVE-2010-0185

CVE-2010-0189

CVE-2010-0378

CVE-2008-0644

CVE-2008-1202

CVE-2008-1203

CVE-2008-1656

CVE-2008-1765

CVE-2008-2640

CVE-2008-2991

CVE-2008-3515

CVE-2008-3516

CVE-2008-4071

CVE-2008-4831

CVE-2008-5109

CVE-2008-5331

CVE-2008-6062

CVE-2009-0523

CVE-2009-0524

CVE-2009-1873

CVE-2009-1874

CVE-2009-1876

CVE-2009-1877

CVE-2009-1878

CVE-2009-1879

CVE-2009-3489

CVE-2009-4764

CVE-2010-0378


Appendix B

Adobe vulnerabilities (CVEs) not identified by Tenable (Nessus), Rapid7 (Nexpose), and Qualys scanners.



CVE-2010-0379

CVE-2010-1279

CVE-2010-1294

CVE-2010-1296

CVE-2010-2321

CVE-2010-2885

CVE-2010-2886

CVE-2010-3132

CVE-2010-3149

CVE-2010-3150

CVE-2010-3151

CVE-2010-3153

CVE-2010-3154

CVE-2010-3155

CVE-2010-3191

CVE-2010-3975

CVE-2010-5212

CVE-2010-5213

CVE-2010-5258

CVE-2010-5270

CVE-2010-5290

CVE-2011-0568

CVE-2011-0733

CVE-2011-0734

CVE-2010-0379

CVE-2010-1279

CVE-2010-1293

CVE-2010-1294

CVE-2010-1296

CVE-2010-2217

CVE-2010-2218

CVE-2010-2219

CVE-2010-2220

CVE-2010-2321

CVE-2010-2885

CVE-2010-2886

CVE-2010-3127

CVE-2010-3132

CVE-2010-3149

CVE-2010-3150

CVE-2010-3151

CVE-2010-3152

CVE-2010-3153

CVE-2010-3154

CVE-2010-3155

CVE-2010-3191

CVE-2010-3633

CVE-2010-3634

CVE-2010-3635

CVE-2010-3975

CVE-2010-5212

CVE-2010-5213

CVE-2010-5258

CVE-2010-5270

CVE-2010-5290

CVE-2011-0580

CVE-2011-0581

CVE-2011-0582

CVE-2011-0583

CVE-2011-0584

CVE-2011-0612

CVE-2011-0613

CVE-2011-0614

CVE-2011-0615

CVE-2011-0629

CVE-2011-0733

CVE-2011-0734

CVE-2010-0379

CVE-2010-2321

CVE-2010-2885

CVE-2010-2886

CVE-2010-3132

CVE-2010-3149

CVE-2010-3150

CVE-2010-3151

CVE-2010-3153

CVE-2010-3154

CVE-2010-3155

CVE-2010-3975

CVE-2010-5212

CVE-2010-5213

CVE-2010-5258

CVE-2010-5270

CVE-2010-5290

CVE-2011-0613

CVE-2011-0614

CVE-2011-0615

CVE-2011-0733

CVE-2011-0734


CVE-2011-0735

CVE-2011-0736

CVE-2011-0737

CVE-2011-2123

CVE-2011-2443

CVE-2011-4693

CVE-2011-4694

CVE-2012-0771

CVE-2012-6270

CVE-2012-6271

CVE-2012-6637

CVE-2011-0735

CVE-2011-0736

CVE-2011-0737

CVE-2011-2091

CVE-2011-2131

CVE-2011-2132

CVE-2011-2133

CVE-2011-2164

CVE-2011-2443

CVE-2011-2463

CVE-2011-4368

CVE-2011-4693

CVE-2011-4694

CVE-2012-0275

CVE-2012-0765

CVE-2012-0770

CVE-2012-0778

CVE-2012-0780

CVE-2012-2023

CVE-2012-2024

CVE-2012-2025

CVE-2012-2026

CVE-2012-2027

CVE-2012-2028

CVE-2012-2041

CVE-2012-2042

CVE-2012-2048

CVE-2012-2052

CVE-2012-4170

CVE-2012-5674

CVE-2012-5675

CVE-2012-5679

CVE-2012-5680

CVE-2012-6270

CVE-2012-6271

CVE-2012-6637

CVE-2011-0735

CVE-2011-0736

CVE-2011-0737

CVE-2011-2092

CVE-2011-2093

CVE-2011-2164

CVE-2011-2443

CVE-2011-2461

CVE-2012-0765

CVE-2012-0770

CVE-2012-0771

CVE-2012-0778

CVE-2012-0780

CVE-2012-2023

CVE-2012-2024

CVE-2012-2025

CVE-2012-2026

CVE-2012-2027

CVE-2012-2028

CVE-2012-2042

CVE-2012-2048

CVE-2012-2052

CVE-2012-4171

CVE-2012-4363

CVE-2012-5679

CVE-2012-5680

CVE-2012-6637


CVE-2014-0514

CVE-2014-1881

CVE-2014-1882

CVE-2014-1883

CVE-2014-1884

CVE-2015-0343

CVE-2015-0344

CVE-2015-7829

CVE-2016-0948

CVE-2016-0949

CVE-2016-0950

CVE-2016-0955

CVE-2016-0956

CVE-2016-0957

CVE-2013-1387

CVE-2013-1388

CVE-2013-3349

CVE-2013-3350

CVE-2013-5325

CVE-2013-5326

CVE-2013-5327

CVE-2013-5328

CVE-2014-0513

CVE-2014-0514

CVE-2014-0570

CVE-2014-0571

CVE-2014-0572

CVE-2014-1881

CVE-2014-1882

CVE-2014-1883

CVE-2014-1884

CVE-2014-5315

CVE-2014-9166

CVE-2015-0343

CVE-2015-0344

CVE-2015-0345

CVE-2015-1773

CVE-2015-3109

CVE-2015-3110

CVE-2015-3111

CVE-2015-3112

CVE-2015-3269

CVE-2015-5255

CVE-2015-7829

CVE-2015-8458

CVE-2016-0948

CVE-2016-0949

CVE-2016-0950

CVE-2016-0951

CVE-2016-0952

CVE-2016-0953

CVE-2016-0955

CVE-2016-0956

CVE-2016-0957

CVE-2014-0514

CVE-2014-1881

CVE-2014-1882

CVE-2014-1883

CVE-2014-1884

CVE-2014-5315

CVE-2015-0343

CVE-2015-0344

CVE-2015-1773

CVE-2015-5566

CVE-2015-5965

CVE-2015-7829

CVE-2015-8051

CVE-2015-8458

CVE-2016-0955

CVE-2016-0956

CVE-2016-0957


Appendix B (Continued)




CVE-2016-0958

CVE-2016-1036

CVE-2016-4095

CVE-2016-4118

CVE-2016-4164

CVE-2016-4165

CVE-2016-4167

CVE-2016-4168

CVE-2016-4169

CVE-2016-4170

CVE-2016-4216

CVE-2016-4253

CVE-2016-6933

CVE-2016-6934

CVE-2016-6980

CVE-2016-7856

CVE-2016-7866

CVE-2016-7882

CVE-2016-7883

CVE-2016-7884

CVE-2016-7885

CVE-2016-7886

CVE-2016-7887

CVE-2017-11240

CVE-2017-11250

CVE-2017-11253

CVE-2016-0958

CVE-2016-1034

CVE-2016-1035

CVE-2016-1036

CVE-2016-1113

CVE-2016-1114

CVE-2016-1115

CVE-2016-4118

CVE-2016-4157

CVE-2016-4158

CVE-2016-4159

CVE-2016-4164

CVE-2016-4165

CVE-2016-4167

CVE-2016-4168

CVE-2016-4169

CVE-2016-4170

CVE-2016-4216

CVE-2016-4253

CVE-2016-4264

CVE-2016-6933

CVE-2016-6934

CVE-2016-6935

CVE-2016-6936

CVE-2016-7851

CVE-2016-7856

CVE-2016-7866

CVE-2016-7882

CVE-2016-7883

CVE-2016-7884

CVE-2016-7885

CVE-2016-7886

CVE-2016-7887

CVE-2016-7891

CVE-2017-11283

CVE-2017-11284

CVE-2016-0958

CVE-2016-0959

CVE-2016-1036

CVE-2016-4118

CVE-2016-4167

CVE-2016-4168

CVE-2016-4169

CVE-2016-4170

CVE-2016-4216

CVE-2016-4253

CVE-2016-6933

CVE-2016-6934

CVE-2016-6936

CVE-2016-6980

CVE-2016-7852

CVE-2016-7853

CVE-2016-7854

CVE-2016-7882

CVE-2016-7883

CVE-2016-7884

CVE-2016-7885

CVE-2017-11240

CVE-2017-11250

CVE-2017-11253


CVE-2017-11295

CVE-2017-11296

CVE-2017-11302

CVE-2017-11306

CVE-2017-11307

CVE-2017-11308

CVE-2017-2929

CVE-2017-2968

CVE-2017-2969

CVE-2017-2970

CVE-2017-2971

CVE-2017-2972

CVE-2017-2989

CVE-2017-3067

CVE-2017-3098

CVE-2017-3107

CVE-2017-3108

CVE-2017-11285

CVE-2017-11286

CVE-2017-11287

CVE-2017-11288

CVE-2017-11289

CVE-2017-11290

CVE-2017-11291

CVE-2017-11295

CVE-2017-11296

CVE-2017-11302

CVE-2017-11303

CVE-2017-11304

CVE-2017-2929

CVE-2017-2968

CVE-2017-2969

CVE-2017-2989

CVE-2017-3004

CVE-2017-3005

CVE-2017-3006

CVE-2017-3007

CVE-2017-3008

CVE-2017-3017

CVE-2017-3023

CVE-2017-3029

CVE-2017-3035

CVE-2017-3041

CVE-2017-3047

CVE-2017-3053

CVE-2017-3066

CVE-2017-3067

CVE-2017-3087

CVE-2017-3098

CVE-2017-3101

CVE-2017-3102

CVE-2017-3103

CVE-2017-3104

CVE-2017-3105

CVE-2017-3107

CVE-2017-3108

CVE-2017-11296

CVE-2017-11307

CVE-2017-11308

CVE-2017-2929

CVE-2017-2968

CVE-2017-2969

CVE-2017-2970

CVE-2017-2971

CVE-2017-2972

CVE-2017-2989

CVE-2017-3067

CVE-2017-3098

CVE-2017-3107

CVE-2017-3108


CVE-2017-3109

CVE-2017-3110

CVE-2017-3111

CVE-2018-12806

CVE-2018-12807

CVE-2018-12809

CVE-2018-15969

CVE-2018-15970

CVE-2018-15971

CVE-2018-15972

CVE-2018-15973

CVE-2018-4875

CVE-2018-4876

CVE-2018-4929

CVE-2018-4930

CVE-2018-4931

CVE-2017-3109

CVE-2017-3110

CVE-2017-3111

CVE-2018-12804

CVE-2018-12805

CVE-2018-12806

CVE-2018-12807

CVE-2018-12809

CVE-2018-12810

CVE-2018-12811

CVE-2018-12829

CVE-2018-15957

CVE-2018-15958

CVE-2018-15959

CVE-2018-15960

CVE-2018-15961

CVE-2018-15962

CVE-2018-15963

CVE-2018-15964

CVE-2018-15965

CVE-2018-15969

CVE-2018-15970

CVE-2018-15971

CVE-2018-15972

CVE-2018-15973

CVE-2018-15974

CVE-2018-15980

CVE-2018-4873

CVE-2018-4875

CVE-2018-4876

CVE-2018-4921

CVE-2018-4923

CVE-2018-4924

CVE-2018-4927

CVE-2018-4928

CVE-2018-4929

CVE-2018-4930

CVE-2018-4931

CVE-2018-4938

CVE-2018-4939

CVE-2018-4940

CVE-2018-4941

CVE-2017-3109

CVE-2017-3110

CVE-2017-3111

CVE-2018-12806

CVE-2018-12807

CVE-2018-12809

CVE-2018-12812

CVE-2018-12823

CVE-2018-15969

CVE-2018-15970

CVE-2018-15971

CVE-2018-15972

CVE-2018-15973

CVE-2018-4875

CVE-2018-4876

CVE-2018-4929

CVE-2018-4930

CVE-2018-4931






CVE-2018-4943

CVE-2018-4997

CVE-2018-4998

CVE-2018-4999

CVE-2018-5004

CVE-2018-5005

CVE-2018-5006

CVE-2018-4942

CVE-2018-4943

CVE-2018-4991

CVE-2018-4992

CVE-2018-5003

CVE-2018-5004

CVE-2018-5005

CVE-2018-5006

CVE-2018-4943

CVE-2018-4997

CVE-2018-4998

CVE-2018-4999

CVE-2018-5004

CVE-2018-5005

CVE-2018-5006





© 2019 RiskSense, Inc. All rights reserved. RiskSense and the RiskSense logo are registered trademarks of RiskSense, Inc. Spotlight_Adobe_20190411

RiskSense – the industry’s most comprehensive risk-based vulnerability management and prioritization platform.

Contact us today to learn more about RiskSenseRiskSense, Inc. | +1 844.234.RISK | +1 505.217.9422 | risksense.com

SCHEDULE A DEMOCONTACT US READ OUR BLOG

RiskSense®, Inc. provides vulnerability management and prioritization to measure and control cybersecurity risk. The cloud-based RiskSense platform uses a foundation of risk-based scoring, analytics, and technology-accelerated pen testing to identify critical security weaknesses with corresponding remediation action plans, dramatically improving security and IT team efficiency and effectiveness. For more information, visit www.risksense.com or follow us on Twitter at @RiskSense.

About RiskSense

https://risksense.com/company/contact-us/

https://risksense.com/demonow/

https://risksense.com/blog/

https://risksense.com/

https://risksense.com/

https://twitter.com/RiskSense

SPOTLIGHT RiskSense Vulnerability Weaponization Insights · 2019-04-16 · This Spotlight report...

Documents

Transcript of SPOTLIGHT RiskSense Vulnerability Weaponization Insights · 2019-04-16 · This Spotlight report...