SPOTLIGHT RiskSense Vulnerability Weaponization Insights · 2019-04-16 · This Spotlight report...
Transcript of SPOTLIGHT RiskSense Vulnerability Weaponization Insights · 2019-04-16 · This Spotlight report...
S P O T L I G H T
RiskSenseVulnerability
WeaponizationInsights
20 Years of Adobe Software Vulnerabilities Reveal Important Lessons for Remediation Teams and Software Developers Alike
S P O T L I G H T
This Spotlight report provides in-depth analysis of vulnerabilities and weaponization patterns across the entire family of Adobe products. By focusing on weaponization, we go beyond simply counting vulnerabilities, and instead reveal how popular software from a leading vendor becomes a beacon for attackers. A significant number of these vulnerabilities are exploitable and have remote code execution capabilities, changing their status from a potential threat to an active and live cyber risk exposure point. While our findings naturally focus on the most recent data, the report includes more than 20 years of data from 1996 through 2018, allowing us to see long-term trends.
This combination of scope and focus on threat impact provides invaluable insight for IT and security teams, executives, as well as application development teams. For example, while the overall count of vulnerabilities in 2018 was significantly down from the highpoint of 2016, our analysis shows that 2018 was the most active and significant year in terms of weaponization. It marks a year with the largest overall number of weaponized vulnerabilities. While total number of vulnerabilities had been declining, 2018 data shows that the percentage of weaponized vulnerabilities is almost half of this total (47%). Patching and countermeasures were less effective because 2018 also had the largest number of vulnerabilities weaponized prior to a patch being available.
Most importantly, this report provides insights and recommendations that can be used by IT, security, and development teams to significantly reduce risk for their organizations. In this Spotlight report, we:
• Analyze the weaponization and attacker patterns for Adobe CVEs and propose a more efficient threat-centric remediation approach;
• Present a deep analysis of how vulnerabilities and product weaknesses map to specific classes of threats such as exploits and malware;
• Analyze the coding weaknesses and issues that contribute to the most severe threats and ongoing Adobe product susceptibility.
Our analysis and threat attribution of more than 2,500 Adobe vulnerabilities has clearly revealed Acrobat Reader and Flash as the two of the most vulnerable Adobe software products over the last 20 years. Adobe's 2015 foray into the cloud with Acrobat DC also led to a steep increase in the vulnerability count (a rise of 300 vulnerabilities). While Flash consistently contributed a substantial number of vulnerabilities until 2016 (around 1,300), Adobe has been successful in reducing the overall Flash-related vulnerability count since then. The Importance of Threat-Centric AnalysisWe emphasize the importance of efficient remediation, based on vulnerability lifecycle and threat metrics. In some cases, exploits related to critical exploit kits like Neutrino and Angler have been in the wild for more than a year prior to an associated CVE appearing in the National Vulnerability Database (NVD). We explore such patterns using Time-To-Disclosure (TTD) and Time-to-Weaponize (TTW) metrics and propose an efficient threat-centric remediation approach.
RiskSense Vulnerability Weaponization Insights • April 2019
Executive Summary
Page 1 Spotlight • RiskSense Vulnerability Weaponization Insights
In the figure below, we capture the overall Adobe product vulnerability and threat snapshot with a funnel chart representation. This representation shows vulnerability and threat data in an informative and actionable manner. As we move from left to right, the funnel drills down into successively more granular, and critical, CVEs for remediation. Across the entire set of 2,891 vulnerabilities, 721 vulnerabilities are weaponized with associated threats, either exploit or malware, of which there are 72 CVEs with Remote Code Execution (RCE) type, 191 CVEs with Denial of Service (DoS) type, 65
CVEs with Privilege Escalation (PE) type, 15 CVEs with Web Apps, 14 with exploit kits, and numerous other miscellaneous malware and exploits (primarily Trojan). We reduce our data set further to 152 vulnerabilities by concentrating on critical CVEs associated with RCE, PE, and Web App-based exploits. Last, we arrive at the nine trending¹ vulnerabilities based on threat intelligence collected from the wild. These CVEs should receive immediate attention, as they have the greatest potential for an attack and will greatly improve an organization’s security posture once remediated.
Executive Summary (Continued)
Page 2 Spotlight • RiskSense Vulnerability Weaponization Insights
Actionable Funnel for Adobe Vulnerabilities and Threats
2,891
721152
Vulnerabilities
9
Start Here
Critical CVEswith RCE, PE, and Web Appps
Weaponizedwith Exploit/Malware
Total Adobe CVE ID Count CVEs That Matter
TrendingExploit/Malware
¹ Represents trending data for 2018 from RiskSense
RiskSense Vulnerability Weaponization Insights • April 2019
Key Insights
Page 3 Spotlight • RiskSense Vulnerability Weaponization Insights
Biggest Years for Vulnerabilities: 2015 & 2016Across all years examined, 2015 saw the largest increase year over year for disclosed vulnerabilities, both in terms of total vulnerabilities and high-severity vulnerabilities. The 496 vulnerabilities found in 2015 represented a 256% increase compared to 2014. That figure includes 314 high-severity vulnerabilities, which marks the largest year-over-year growth in Adobe's history. 2016 provided the overall highwater mark for vulnerabilities with a total of 538 of which 480 were high severity.
2018 Was the Biggest Year for WeaponizationWhile the overall number of vulnerabilities in 2018 was down 30.5% compared to the all-time high in 2016, it was by far the most significant year in terms of weaponization. It had the largest number of total weaponized vulnerabilities (177) as well as the highest percentage (47%) of vulnerabilities being weaponized. Even more concerning, 50 of these were weaponized BEFORE a patch was available. This was by far the highest number seen over the course of the report with 2010 taking second place with 18. It will bear close monitoring to see if 2018 is an outlier or part of a more concerning trend.
Buffer Overflow Most Common VulnerabilityAmong all the 2,891 vulnerabilities considered, Buffer Overflow was the most common vulnerability type across all years (1,094 CVEs), distantly followed by Out-of-bounds Read (195 CVEs), and Use After Free (160 CVEs) types.
Acrobat Reader Family Most VulnerableThe Acrobat Reader family of products takes the award for containing the most vulnerabilities (1,338). Particularly introducing 137 vulnerabilities in 2015 with the introduction of Adobe Acrobat DC. Among the 721 unique CVEs having applicable threats, Denial of Service (DoS) is the most prevalent exploit type (applicable to 191 CVEs) for Adobe product-related vulnerabilities followed by Remote Code Execution (applicable to 72 CVEs). This directly correlates with the most prevalent Memory Mismanagement weakness (representing a combination of Buffer Overflow, Out-of-bounds Read, and Use-After Free) introduced by the developers into Adobe products.
Disclosure Latency Not Improving The average disclosure latency between Adobe and the NVD has been inconsistent over all the years. While the NVD did a good job in publishing all Adobe CVEs with no latency for years 2005–2006, all other years did have disclosure latency. Particularly, 2012 being the worst year with 23 days of average vulnerability disclosure latency. The situation hasn’t improved in recent years either, with 2017 and 2018 having 13 and 21 days of average disclosure latency respectively.
Adversaries Take Advantage of Disclosure LatencyAdversaries have taken advantage of disclosure latency by exploiting weaknesses in Flash and Acrobat Reader through exploits that have been converted to notorious exploit kits like Neutrino, RIG, and Angler. Particularly for CVE-2015-8651 and CVE-2016-4117, adversaries were able to propagate the respective exploits in the wild before the vulnerability was publicly disclosed.
Memory Management a Persistent IssueMemory mismanagement is the primary weakness resulting in severe threats for the Acrobat Reader and Flash product families. As we show using our unique threat to weakness to product attribution visualizations, memory management weakness has led to 938 unique vulnerability-exploit pairs and 1,047 unique vulnerability-malware pairs with most of these threats applicable to Acrobat Reader and Flash products.
Managing Latency for Efficient RemediationOur analysis shows that exploits in widely used exploit kits such as Neutrino and Angler were in the wild for more than a year before the associated vulnerability was released. We explore such patterns in detail using Time-To-Disclosure (TTD) and Time-to-Weaponize (TTW) latency metrics and propose an efficient threat-centric remediation approach. This analysis shows that vulnerability scanners alone are not sufficient for defending against all critical Remote Code Execution (RCE) and Privilege Escalation (PE) in Adobe products. As such, organizations should adopt a vulnerability lifecycle approach that includes real-world threat metrics in order to ensure full and efficient remediation.
RiskSense Vulnerability Weaponization Insights • April 2019
Executive Summary
Key Insights
1. Data Snapshot and Methodology
2. NVD Disclosure Latency
3. Weaponization Latency Details
4. Overall Vulnerability and Threat Details
5. Vulnerabilities by Weakness
6. Product Details
Conclusion
Appendices
1
3
5
7
9
14
17
21
24
25
Table of Contents
Page 4 Spotlight • RiskSense Vulnerability Weaponization Insights
RiskSense Vulnerability Weaponization Insights • April 2019
Data SnapshotThe input data set for this analysis includes only CVEs affecting Adobe products which represents a total of 2,891 CVEs. While our primary data source was Adobe's security bulletins and advisories published since 2006, we have also included CVEs published by third parties like scanner KBs, bug bounty programs, vendors (SUSE, Red Hat, Microsoft, etc.), and NVD entries that were not included in Adobe security bulletins and advisories.
Figure 1(a) shows the volume of the data across each year.
Figure 1(a): Overall Data View by Year
CVSS v2: Low/Medium/High with Exploit
1996-200424 CVEs: 3L/9M/12H
6 Threats (25%)
200517 CVEs: 4L/6M/7H
5 Threats (29%)
200634 CVEs: 9L/18M/7H
3 Threats (9%)
200739 CVEs: 0L/27M/12H
14 Threats (36%)
200863 CVEs: 1L/28M/34H
16 Threats (25%)
200999 CVEs: 1L/25M/73H
24 Threats (24%)
2010208 CVEs: 1L/24M/183H
38 Threats (18%)
2011203 CVEs: 0L/36M/167H
16 Threats (8%)
2012149 CVEs: 0L/14M/135H
9 Threats (6%)
2013149 CVEs: 1L/7M/141H
16 Threats (11%)
2015496 CVEs: 1L/66M/429H
176 Threats (35%)
2014139 CVEs: 0L/24M/115H
22 Threats (16%)538 CVEs: 0L/58M/480H
125 Threats (23%)
2016 2017359 CVEs: 0L/99M/260H
74 Threats (21%)
2018 through November
374 CVEs: 0L/253M/121H
177 Threats (47%)
1. Data Snapshot and Methodology
Page 5 Spotlight • RiskSense Vulnerability Weaponization Insights
RiskSense Vulnerability Weaponization Insights • April 2019
1. Data Snapshot and Methodology (Continued)
Vulnerability Enhancement Methodology For enriched and contextual information around a CVE, we considered the following data from NVD: • CVSS (Common Vulnerability Scoring System): The
CVSS devised by the Forum for Incident Response and Security Teams (FIRST) organization provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The current version of CVSS is 3.0. However, all CVEs do not have a relevant CVSS 3.0 score. Hence, we considered CVSS 2.0 for all CVEs. In all cases, we have evaluated the difference between CVSS 2.0 and 3.0, and have considered only CVEs that have numerical scores from both versions.²
• CPE (Common Platform Enumeration): The CPE is a structured naming scheme for information technology systems, software, and packages that was first developed by MITRE. Currently, NIST manages the CPE libraries and updates to it. CVE to CPE mappings are the primary source we used to map Adobe CVEs to their respective product versions. Since CPE is a machine-understandable format, we have processed CPE strings pertaining to each CVE and further eliminated duplicate CVEs to product mappings. We have cross-verified our CVE to product mappings by comparing them with product details available within Adobe security bulletins and advisories.
• CWE (Common Weakness Enumeration): CWE is a list of common software security weaknesses. It serves as a common language for identifying weaknesses introduced into software through poor programming practices. We have used CVE to CWE mappings to identify the weaknesses related to Adobe CVEs.
Threat Attribution MethodologySince there's no single reliable source to enrich threat context around a CVE, we gathered and processed contextual threat data from several sources on the internet. Some of the primary sources include:
Exploit Frameworks (like Metasploit, Canvas, and Elliot Kit), AlienVault Open Threat Exchange (OTX), SANS
Internet Storm Center, Exploit-DB, Contagiodump, Symantec, Microsoft Threat, IBM X-Force threat intelligence along with several other hacker forums and Twitter feeds. However, the primary limitation of the above approach is that we are limited to considering only those threats that are directly mapped to CVEs. This results in a limited threat landscape since there are always threats targeting different Adobe products that are not mapped to respective CVEs. We address this limitation using our threat knowledge graph model.
In a threat knowledge graph model, we explore the semantic relationships between different security entities and derive inferences from such relationships. Security entities include Indicators of Compromise (IoCs), Indicators of Exploit (IoEs), threat actors, threat campaigns, infrastructure, underlying weakness, threat types, etc. Some examples of the relationships between security entities include: a certain malware (threat type) affects a certain product (infrastructure), a buffer overflow weakness within a product (infrastructure) results in a Denial of Service (DoS) attack (threat type), a certain set of indicators result from a malware (threat type), etc. To be consistent in a machine readable form, all relationships are derived from an ontological model.
The underlying intent of the knowledge graph is to go beyond regular CVE-based threat attribution (i.e., not limit ourselves to gathering only those threats that are mapped to CVEs but create a linkage between openly available threats and target infrastructure, particularly products). We achieve such linkage by applying inferential analysis on our threat knowledge graph. For the scope of this report, we gathered and captured the attributes pertaining to the following in our knowledge graph model: (a) publicly available threats (malware and exploits) from the internet affecting Adobe products (but not directly mapped to specific product versions) and (b) weaknesses in Adobe products. We finally derived relationships between the threats and the precise set of products they affect by subjecting the relationship between their attributes in the knowledge graph through our inferential analysis. We will show in this report how such relationships between weaknesses, threats, and products can be visualized for actionable intelligence.
Page 6 Spotlight • RiskSense Vulnerability Weaponization Insights
² FIRST https://www.first.org/
RiskSense Vulnerability Weaponization Insights • April 2019
Figure 2(a): Percent of Vulnerabilities for Each Year for Vendor First versus Same Day
The National Vulnerability Database (NVD) feeds CVE entries from MITRE, partner vendors, trusted security researchers and enhances each CVE entry with remedia-tion information, severity scores, impact ratings, vendor name, product name, vulnerability type, etc. This enhanced contextual information around a CVE makes it one of the most reliable sources for consuming CVE data. Hence research teams and infrastructure security teams within organizations rely on the NVD’s CVE feed to stay current on the latest CVEs and their impact informa-tion. However, not all CVEs disclosed by vendors get into the NVD in a timely manner leading to CVE disclosure latency with respect to the NVD release date.
In this section, we present the NVD CVE disclosure latency, i.e., the number of days NVD has waited before publishing a CVE after it was first released by Adobe or another third party vendor. Figure 2(a) shows the percentage of (a) CVEs released by the vendor first and (b) CVEs disclosed by NVD on the same day as vendor release. Across all the years, the NVD did not publish any Adobe-related CVEs before
Adobe or third party vendors. Hence, the NVD first category is eliminated.
Although the NVD did publish CVEs on the same day that Adobe and other third parties released them (thus avoiding CVE disclosure latency), the percentage of such CVEs across the time period is significantly less. The years 1996–2006 are the only exceptions to this trend. During this period, out of the total 75 CVEs released by Adobe, 64 CVEs were published on the same day by the NVD. However, this disclosure efficiency waned in subsequent years.
The percentage of CVEs released by the vendor versus published on the same day by the NVD varies greatly between 2008 and 2018. The top three years with a significant variation are 2010, 2011 and 2018. Each of these years register more than 90% of CVEs experiencing NVD disclosure latency. Particularly, in 2018 among a total of 376 total vulnerabilities released, the NVD published only 10 CVEs on the same day as vendor release day.
Page 7 Spotlight • RiskSense Vulnerability Weaponization Insights
2. NVD Disclosure Latency
100
80
60
40
20
0
Vendor First Same Day
2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 20171996-2004 2005 2018
Perc
enta
ge o
f CVE
s
RiskSense Vulnerability Weaponization Insights • April 2019
Figure 2(b): Adobe to NVD Publication – Average Latency Across all Years
NVD
6
32
5
5 5
137
2
21
15
24 days
2006
2005
1996-2004
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2 00
We show year over year average disclosure latency in Figure 2(b). Each line represents the average disclosure latency for a given year considering all the vulnerabilities released in that year. For example, among all the Adobe vulnerabilities released in 2008, it took NVD an average of 15 days to disclose the vulnerability details after it was released by Adobe.
2012 was the year with the highest average CVE disclosure latency at 24 days. Despite 2015 and 2016 seeing heavy increase in the number of CVEs disclosed by Adobe, the average CVE disclosure latency from the NVD for those years is only 7 and 6 days respectively. However, looking at the average disclosure latency for years 2017 and 2018 (i.e, 13 and 21 days respectively), it
indicates that the NVD was not able to keep up with the volume and rate of vendor CVE disclosure.
In the following sections we further correlate NVD disclosure latency with weaponization patterns and look at the resulting threat and attack landscape.
While CVE-2012-0771 contributes a whopping 2,197 days to 2012’s average disclosure latency of 24 days, it should be considered an outlier in this case along with CVE-2012-2052 which had 772 days of disclosure latency. The majority of CVEs released in 2012 (135 of 149) have a NVD disclosure latency of less than 5 days, as such, we see CVE-2012-0771 and CVE-2012-2052 contributing heavily to the average for that year.
Page 8 Spotlight • RiskSense Vulnerability Weaponization Insights
2. NVD Disclosure Latency (Continued)
RiskSense Vulnerability Weaponization Insights • April 2019
RiskSense Vulnerability Weaponization Insights • April 2019
Page 9 Spotlight • RiskSense Vulnerability Weaponization Insights
In this section, we further expand on the vulnerability disclosure latency by adding threat context to it. We do this by combining vulnerability latency metrics and weaponization states occurring within those latency timelines. We define vulnerability latency metrics as the time latency involved within different stages of a vulnerability’s lifecycle. This lifecycle is defined as the different stages a vulnerability goes through from its inception to its end. We use the following latency definitions for a vulnerability within its life cycle.
1. Time to Disclosure (TTD): This is the time latency between the vulnerability release by vendor or third party, and NVD publication.
2. Time to Weaponize (TTW): This is the time latency between the earliest time a vulnerability is disclosed and the time it is weaponized. Weaponization here refers to publication of exploit code that can be attributed to a given CVE.
3. TTP (Time to Develop Patch): This is the time latency between the earliest vulnerability release and the time at which its patch is released.
We define weaponization states as relationships between the lifecycle stages (i.e., we define weaponization states through the relationship between the vendor's CVE disclosure date, patch/workaround date, exploit weaponization date, and NVD disclosure date). To this end, we use the following weaponization states:
3. Weaponization Latency Details
• Exploit released before NVD publication and before patch release (X < NVD, X < Patch)• Exploit released before NVD publication and after patch release (Patch < X < NVD)• Exploit released after NVD publication and after patch release (NVD < X, Patch < X)• Exploit released after NVD publication and before patch release (NVD < X < Patch)
In figure 3(a), we show the distribution of vulnerabilities with threats across the above-defined weaponization states. Each quadrant represents a weaponization state and each stacked horizontal bar within the quadrant represents the number of weaponized CVEs for that year. The color within each stacked bar represents the number of CVEs corresponding to each CVSS v2 severity level.
Below, we show the actual latency metrics for the CVEs that have been used to create the most prolific threats (exploits, exploit kits, and malware) for Adobe products in the last 20 years.
To try and mitigate latency issues, it’s clear that organizations must make themselves aware of vulnerability data in three places – the vendor’s web site, the NVD, and the data obtained from their vulnerability management program.
Further, to overcome the well-understood limitations of scanners (Appendix B), organizations may consider
adopting a virtual scanning methodology. In virtual scanning, the target software fingerprint is cross checked against product versions (CPEs) and applicable CVEs from Adobe (and other third party) security bulletins and then prioritized for remediation in a timely manner, thereby reducing the dependency on scanning vendors alone while prioritizing critical vulnerabilities.
2. NVD Disclosure Latency (Continued)
Figure 3(a): Weaponization Stages
1 2 3 4 5 6 7 8 9 10 CVSS Rating: 1– 10
Exploit released before NVD publication and before patch release
<NVD, X<X PATCH 138 CVEs
Exploit released before NVD publication and after patch release
< < NVDXPATCH 93 CVEs
< <NVD X PATCHExploit released after NVD publication and before patch release
15 CVEs
Exploit released after NVD publication and after patch release
<NVD X< X, PATCH473 CVEs
Page 10 Spotlight • RiskSense Vulnerability Weaponization Insights
3. Weaponization Latency Details (Continued)
• Exploit released before NVD publication and before patch release (X < NVD, X < Patch)• Exploit released before NVD publication and after patch release (Patch < X < NVD)• Exploit released after NVD publication and after patch release (NVD < X, Patch < X)• Exploit released after NVD publication and before patch release (NVD < X < Patch)
In figure 3(a), we show the distribution of vulnerabilities with threats across the above-defined weaponization states. Each quadrant represents a weaponization state and each stacked horizontal bar within the quadrant represents the number of weaponized CVEs for that year. The color within each stacked bar represents the number of CVEs corresponding to each CVSS v2 severity level.
Below, we show the actual latency metrics for the CVEs that have been used to create the most prolific threats (exploits, exploit kits, and malware) for Adobe products in the last 20 years.
RiskSense Vulnerability Weaponization Insights • April 2019
Page 11 Spotlight • RiskSense Vulnerability Weaponization Insights
3. Weaponization Latency Details (Continued)
CVE-2015-8651
12/28/15
NVD1/14/14
CVSS v2 CVSS v3 Adobe Product Threat Details
9.3 Flash Player8.8 Angler exploit kit, Neutrino exploit kit, Nuclear Pack exploit kit, RIG exploit kit
Time to Disclosure (TTD): 0 daysTime to Weaponize (TTW): -713 daysTTP (Time to Develop Patch): 0 day
CVE-2016-4117
5/10/16
NVD1/14/14 5/11/16
CVSS v2 CVSS v3 Adobe Product Threat Details
10 Flash Player9.8 Angler exploit kit, Magnitude exploit kit, Neutrino exploit kit, RIG exploit kit
Time to Disclosure (TTD): -1 daysTime to Weaponize (TTW): -847 daysTTP (Time to Develop Patch): 0 day
12/10/15
NVD12/8/15
CVE-2015-8446
12/20/15CVSS v2 CVSS v3 Adobe Product Threat Details
NA Flash Player9.3 Angler exploit kit
Time to Disclosure (TTD): -2 daysTime to Weaponize (TTW): -12 daysTTP (Time to Develop Patch): 0 day
3/10/16
NVDCVE-2016-1010
3/12/16CVSS v2 CVSS v3 Adobe Product Threat Details
10 Flash Player9.8 Angler exploit kit
Time to Disclosure (TTD): -2 daysTime to Weaponize (TTW): -2 daysTTP (Time to Develop Patch): 0 day
The most alarming weaponization pattern is X < NVD, X < Patch, where the exploit for the CVE was released before it was published in the NVD and an official patch was released. There are a total of 138 CVEs falling into this category. Looking deeper, we can observe that the count of the CVEs following this weaponization pattern
increased in 2018 with more than 45 CVEs subjected to weaponization before they appear in the NVD and a corresponding patch was released. This indicates that adversaries are actively targeting Adobe products and further taking advantage of the disclosure and weaponization latencies to propagate their attacks.
High-Severity Vulnerabilities Timeline
NVD Release Date
Exploit Release Date
Patch Release Date
Earliest CVE Release Date
NVD
Vulnerability Lifecycle Metrics Mapped to Threats (Reverse-Chronological Order)
RiskSense Vulnerability Weaponization Insights • April 2019
Page 12 Spotlight • RiskSense Vulnerability Weaponization Insights
3. Weaponization Latency Details (Continued)
NVD Release Date
Exploit Release Date
Patch Release Date
Earliest CVE Release Date
NVD
CVE-2010-2883
10/5/10
NVD9/9/109/8/105/28/09
CVSS v2 CVSS v3 Adobe Product Threat Details
NA Acrobat Reader9.3 Winnti backdoor, Whalfrost backdoor, Tapaoux trojan, Sprayload trojan
Time to Disclosure (TTD): -1 daysTime to Weaponize (TTW): -495 daysTTP (Time to Develop Patch): 26 day
CVE-2010-1297
6/4/10
NVD6/8/102/26/08
CVSS v2 CVSS v3 Adobe Product Threat Details
NA Flash Player9.3 Sprayload trojan, Pidief trojan,
Time to Disclosure (TTD): -4 daysTime to Weaponize (TTW): -829 daysTTP (Time to Develop Patch): 0 day
CVE-2015-7645
10/14/15
NVD10/12/15 10/15/15
CVSS v2 CVSS v3 Adobe Product Threat Details
NA Flash Player9.3 Angler exploit kit, Hunter exploit kit, Magnitude exploit kit, Neutrino exploit kit, Nuclear Pack exploit kit, RIG exploit kit, Spartan exploit kit
Time to Disclosure (TTD): -1 daysTime to Weaponize (TTW): -2 daysTTP (Time to Develop Patch): 0 day
CVE-2010-0188
2/16/10
NVD2/22/102/26/08
CVSS v2 CVSS v3 Adobe Product Threat Details
NA Acrobat Reader9.3 Neutrino exploit kit, Neclu exploit kit, Pdfjsc exploit, Bloodhound exploit, Pidief trojan,Protucs backdoor
Time to Disclosure (TTD): -6 daysTime to Weaponize (TTW): -721 daysTTP (Time to Develop Patch): 0 day
CVE-2013-0634
2/7/13
NVD2/8/13
CVSS v2 CVSS v3 Adobe Product Threat Details
NA Flash Player9.3 Axpergle exploit, Pangimop exploit, RIG exploit kit, Magnitude exploit kit
Time to Disclosure (TTD): -1 daysTime to Weaponize (TTW): 0 daysTTP (Time to Develop Patch): 0 day
RiskSense Vulnerability Weaponization Insights • April 2019
NVD Release Date
Exploit Release Date
Patch Release Date
Earliest CVE Release Date
NVD
Page 13 Spotlight • RiskSense Vulnerability Weaponization Insights
3. Weaponization Latency Details (Continued)
10/04/02NVD
CVE-2002-1019
1/14/14CVSS v2 CVSS v3 Adobe Product Threat Details
10 Flash Player9.8 Magnitude exploit kit, Neutrino exploit kit, Nuclear Pack exploit kitTime to Disclosure (TTD): 0 days
Time to Weaponize (TTW): 4120 daysTTP (Time to Develop Patch): 0 day
CVE-2009-4324
1/12/10
NVD12/14/0912/4/095/28/09
CVSS v2 CVSS v3 Adobe Product Threat Details
NA Acrobat Reader9.3 Pdfka exploit, Pdfjsc exploit, Blacole exploit kit, Protucs backdoor, Whalfrost backdoor, Zeroaccess trojan
Time to Disclosure (TTD): -10 daysTime to Weaponize (TTW): -229 daysTTP (Time to Develop Patch): 29 day
CVE-2009-0927NVD
3/19/098/6/08 3/18/09CVSS v2 CVSS v3 Adobe Product Threat Details
NA Acrobat Reader9.3 Pidief exploit, Bloodhound exploit
Time to Disclosure (TTD): -1 daysTime to Weaponize (TTW): -224 daysTTP (Time to Develop Patch): 0 day
RiskSense Vulnerability Weaponization Insights • April 2019
Vulnerability & Threat Details by YearWe start by providing an initial overview of the vulnerabilities and threats revealed over the years. Figure 4(a) shows the volume of vulnerabilities pertaining to Adobe products released between August 1996 and November 2018. It can be quickly observed that the volume of vulnerabilities has steadily increased from 1996 to 2010 and experienced a slight decline in 2012 and then remained steady until 2014. 2015 saw a steep increase in the number of vulnerabilities disclosed compared to the previous year. In 2014, the total number of vulnerabilities disclosed was 139, rising to 499 in 2015, (i.e., a 3.5x increase from 2014). We see a slight increase in the numbers going into 2016 (i.e., by 39 CVEs). While the total number of vulnerabilities disclosed in 2017 fell compared to 2016 by 179 CVEs, the total count was still significantly higher than the pre-2015 period. This shows a unique pattern of a steep increase in the vulnerabilities disclosure for Adobe products post-2015. So, what contributed to this spike post-2015? Is it any abnormal weaknesses introduced into Adobe products and which products were affected by this increase in vulnerability numbers? We will find out later in sections 5 and 6.
The overall vulnerabilities with threats over the years follow a different pattern than the number of vulnerabilities released. We look at this data from two perspectives, pre-2015 and post-2015, since we observed a significant spike in the number of vulnerabilities post-2015.
During the pre-2015 period, the percentage of vulnerabilities with threats compared to the total number of vulnerabilities has varied significantly between 1996–2014 ranging from as low as 6% of CVEs in 2012 (i.e., 9 out of total 149 CVEs) to 35% in 2007 (i.e., 14 CVEs out of 39 CVEs). During the post-2015 period, the percentage of vulnerabilities with threats compared to the total vulnerabilities rose sharply in 2015 with 35% of the vulnerabilities having threats (i.e., 176 CVEs out of 499 CVEs) and reached an all time peak in 2018 with 47% of vulnerabilities released in that year having threats (i.e., 177 CVEs out of total 376 CVEs).
The overall count of vulnerabilities disclosed and vulnerabilities with threats can be divided into two time periods, pre-2015 and post-2015. 2015 saw the highest spike in terms of vulnerabilities disclosed over the previous year, i.e., an increase of 360 total vulnerabilities.
2018
376
177
2017
359
74
2016
538
125
2015
499
176
2014
139
22
2013
149
16
2012
149
9
2011
203
16
2010
208
38
2009
99
24
2008
63
16
2007
39
14
2006
34
3
2005
175
1996-2004
246
CVEs Threats Figure 4(a): Number of CVEs and Threats Related to Adobe Products Over all Years
2018 saw the highest number of vulnerability to threat ratio,
47% (i.e., the percentage of vulnerabilities released in 2018 that have associated threats, 177 out of 376 total CVEs).
This section presents the overall vulnerability and threat statistics and patterns. We primarily focus on high-level details like the number of vulnerabilities released over the years, their severity distributions, and a high-level view of threats applicable to vulnerabilities over the years and their distribution within the CVSS severity levels.
Page 14 Spotlight • RiskSense Vulnerability Weaponization Insights
4. Overall Vulnerability and Threat Details
RiskSense Vulnerability Weaponization Insights • April 2019
0 100 200 300 400 500 600
LowMediumHigh
Let's take a deeper look at the severity distribution of vulnerabilities under consideration. The CVSS v2 and v3 distributions are shown in Figures 4(b) and 4(c) respectively. As mentioned above, the severity is derived by mapping the vulnerabili-ties to their CVSS rating. We will look at the high-severity vulnerability ratio using CVSS v2 with respect to pre- and post-2015 vulnerability disclo-sure and see the correlation between high-severity vulnerabilities and total vulnerabilities (i.e., the high severity to total vulnerability ratio). From figure 4(b), it can be observed that at least 80% of all vulnerabilities released between 2010 and 2015 are high-severity vulnerabilities. Particu-larly, 2012 and 2013 seeing 90% of high-severity vulnerabilities among the total vulnerabilities released. In 2012, 135 out of 149 and in 2013, 141 out of 149 are high-severity vulnerabilities. Does this upward trend of increase in high-severity vulnerabilities continue post-2015?
2015 and 2016 see a decline in the ratio of high severity to total number of vulnerabilities (i.e., close to 85%). In 2015, 429 out of 496 vulnerabili-ties are high severity and in 2016, 480 out of 538 are of high severity. This decline in high-severity vulnera-bilities to total vulnerabilities ratio continues into 2017 and 2018. In
2018, only 32% of total vulnerabilities are high-severity vulnerabilities, i.e., 121 vulnerabilities out of the total 374.
Though the total number of vulnerabilities disclosed has increased post-2015, the high severity to total vulnerabilities ratio has decreased during this period when compared to pre-2015 time period.
Figure 4(c) shows the vulnerability severity distribution based on CVSS v3 scoring mechanism. We have included CVSS v3 scores from the time that CVSS v3 was formalized, June of 2015. A shift to higher severity can be observed over the years between CVSS v2 and v3 (i.e., high-severity vulnerabilities are categorized into critical severity buckets and medium-severity vulnerabilities are categorized into high severity). This is further observed in figure 4(d).
Figure 4(d) shows the distribution of vulnerabilities across all severity levels in CVSS v2 and v3. We considered CVEs having both CVSS v2 and v3 scores and compared their severity distribution across all severity levels. The severity shift to higher severity is more evident here. Almost 36% of the high severity items were re-categorized as critical vulnerabilities. Similarly,
approximately 50% of medium severity vulnerabilities using CVSS v2 were re-categorized as high severity using CVSS v3.
Does the decrease in the number of high-severity vulnerabilities imply a decrease in threats or does high and critical severity only matter while addressing threats? Let us look at that now.
Page 15 Spotlight • RiskSense Vulnerability Weaponization Insights
4. Overall Vulnerability and Threat Details (Continued)
Figure 4(b): High, Medium and Low Severity Vulnerabilities Over all Years Using CVSS v2
1996–2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
Figure 4(c): High, Medium, and Low Severity Vulnerabilities Over the Years Using CVSS v3Critical High Medium Low
2015
2016
2017
2018
0 100 200 300 400 500 600
RiskSense Vulnerability Weaponization Insights • April 2019
Let's take a deeper look at the severity distribution of vulnerabilities under consideration. The CVSS v2 and v3 distributions are shown in Figures 4(b) and 4(c) respectively. As mentioned above, the severity is derived by mapping the vulnerabili-ties to their CVSS rating. We will look at the high-severity vulnerability ratio using CVSS v2 with respect to pre- and post-2015 vulnerability disclo-sure and see the correlation between high-severity vulnerabilities and total vulnerabilities (i.e., the high severity to total vulnerability ratio). From figure 4(b), it can be observed that at least 80% of all vulnerabilities released between 2010 and 2015 are high-severity vulnerabilities. Particu-larly, 2012 and 2013 seeing 90% of high-severity vulnerabilities among the total vulnerabilities released. In 2012, 135 out of 149 and in 2013, 141 out of 149 are high-severity vulnerabilities. Does this upward trend of increase in high-severity vulnerabilities continue post-2015?
2015 and 2016 see a decline in the ratio of high severity to total number of vulnerabilities (i.e., close to 85%). In 2015, 429 out of 496 vulnerabili-ties are high severity and in 2016, 480 out of 538 are of high severity. This decline in high-severity vulnera-bilities to total vulnerabilities ratio continues into 2017 and 2018. In
2018, only 32% of total vulnerabilities are high-severity vulnerabilities, i.e., 121 vulnerabilities out of the total 374.
Though the total number of vulnerabilities disclosed has increased post-2015, the high severity to total vulnerabilities ratio has decreased during this period when compared to pre-2015 time period.
Figure 4(c) shows the vulnerability severity distribution based on CVSS v3 scoring mechanism. We have included CVSS v3 scores from the time that CVSS v3 was formalized, June of 2015. A shift to higher severity can be observed over the years between CVSS v2 and v3 (i.e., high-severity vulnerabilities are categorized into critical severity buckets and medium-severity vulnerabilities are categorized into high severity). This is further observed in figure 4(d).
Figure 4(d) shows the distribution of vulnerabilities across all severity levels in CVSS v2 and v3. We considered CVEs having both CVSS v2 and v3 scores and compared their severity distribution across all severity levels. The severity shift to higher severity is more evident here. Almost 36% of the high severity items were re-categorized as critical vulnerabilities. Similarly,
approximately 50% of medium severity vulnerabilities using CVSS v2 were re-categorized as high severity using CVSS v3.
Does the decrease in the number of high-severity vulnerabilities imply a decrease in threats or does high and critical severity only matter while addressing threats? Let us look at that now.
1000
800
600
400
200
0
CVSS v3 CVSS v2
Critical High Medium Low
Figure 4(d): CVSS v2 versus v3 Severity Distribution
Page 16 Spotlight • RiskSense Vulnerability Weaponization Insights
4. Overall Vulnerability and Threat Details (Continued)
Figure 4(e) shows the CVSS v2 and v3 distribution of CVEs having threats. CVEs with threats are primarily catgorized under high and critical severity under CVSS v3 and high and medium severity under CVSS v2. This again shows the shift towards high severity for CVEs with threats. An exception occurs for CVEs released in 2018 where around 150 medi-um-severity vulnerabilities using CVSS v2 have threats, out of which 80 have been categorized as high severity using CVSS v3. This emphasizes the importance given to threat context within CVSS v3 methodology. Particularly, with respect to the scope and authentication attributes having more granular details in CVSS v3 methodology. For example, in the CVSS v3 methodology a Remote Code Execution (RCE) can be characterized by a change in Scope as well as no User Interaction needed, and possibly low Privilege Required, which was not possible in CVSS v2.
Critical High Medium Low Figure 4(e): CVSS v2 versus v3 Threat Distribution
0 100 200
1996–2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
0100200300 300
V3 SEVERITY V2 SEVERITY
RiskSense Vulnerability Weaponization Insights • April 2019
CWE Title CWE ID No. CVEs
CWE-119
CWE-125
CWE-416
CWE-200
CWE-264
CWE-79
CWE-20
CWE-189
CWE-787
CWE-94
CWE-399
CWE-284
CWE-704
CWE-352
CWE-502
CWE-190
CWE-476
CWE-823
CWE-426
CWE-611
CWE-22
CWE-362
CWE-918
CWE-16
CWE-255
CWE-415
CWE-129
CWE-942
CWE-428
CWE-824
CWE-310
CWE-287
CWE-295
CWE-78
CWE-191
CWE-59
CWE-427
CWE-434
CWE-805
CWE-837
CWE-732
CWE-203
CWE-208
CWE-77
CWE-277
CWE-778
CWE-601
CWE-843
1094
195
160
122
118
101
87
70
57
56
52
36
21
11
8
8
7
7
5
5
4
4
4
3
3
3
3
3
3
2
2
2
2
2
2
2
2
2
1
1
1
1
1
1
1
1
1
1
Buffer Overflow
Out-of-bounds Read
Use After Free
Information Exposure
Improper Access Control
XSS
Improper Input Validation
Numeric Errors
Buffer Overflow
Injection
Resource Mis-Management
Improper Access Control
Incorrect Type Conversion
Cross-Site Request Forgery (CSRF)
Deserialization of Untrusted Data
Integer Overflow
Null Pointer Dereference
Out-of-range Pointer Offset
Untrusted Search Path
XXE
Path Traversal
Race Condition
Server-Side Request Forgery (SSRF)
Configuration
Credentials Management
Double Free
Improper Validation of Array Index
Overly Permissive Cross-domain Whitelist
Unquoted Search Path or Element
Access of Uninitialized Pointer
Cryptographic Issues
Improper Authentication
Improper Certificate Validation
Injection
Integer Underflow
Link Following
Uncontrolled Search Path Element
Unrestricted File Upload
Buffer Access with Incorrect Length Value
Improper Enforcement of a Single, Unique Action
Incorrect Permission Assignment for Critical Resource
Information Exposure
Information Exposure
Injection
Insecure Inherited Permissions
Insufficient Logging
Open Redirect
Type Confusion
Table 5(a): Vulnerability Types of CVEs Mapped to CWEs
Page 17 Spotlight • RiskSense Vulnerability Weaponization Insights
5. Vulnerabilities by Weakness
In this section we enumerate the weaknesses that have introduced vulnerabilities across all Adobe products. We further correlate the weaknesses to relative threats associated with the vulnerabilities. The vulnerability weakness types are identified by processing CVE to CWE mappings.
Table 5(a) shows the list of all distinct weaknesses and their composition across the total vulnerabilities with the available CWE mappings.
Buffer Overflow weakness takes the top rank with its applicability to 1,094 CVEs, followed by Out-of-bounds Read weakness affecting 195 CVEs, and Use After Free comes in third affecting 160 CVEs.
At their core, the top three software weaknesses within 50% of CVEs affecting Adobe products belong to the memory management category. This indicates implementation of poor memory management techniques as part of the software development involving Adobe products.
RiskSense Vulnerability Weaponization Insights • April 2019
CWE-416
CWE-787 CWE-399CWE-125 CWE-189 CWE-837
CWE-94CWE-200 CWE-264 CWE-79 CWE-203 CWE-208CWE-119 CWE-20
Figure 5(b): Top 3 Vulnerability Types Over All Years
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008
2007
2006
2005
2002
Figure 5(a): Top 5 Vulnerability Types by High Severity
Improper Access Control (CWE-264)
Use After Free (CWE-416)
Numeric Errors (CWE-189)
Improper Input Validation (CWE-20) 3%
4%
8%
64% Buffer Overflow (CWE-119)6%
We will delve deeper into the weakness statistics. Specifically, we will see the weaknesses primarily contributing to the high-severity vulnerabilities which range from 7.0-10.0 CVSS v2 score. Figure 5(a) shows the weaknesses contributing to high-severity vulnerabilities. As expected, Buffer Overflow takes the top position affecting 64% of the vulnerabilities (i.e.,1079 CVEs). Correlating this against weaknesses across all vulnerabilities in table 5(a), it can be observed that almost all of the Buffer Overflow weaknesses are resulting in high-severity CVEs. Other weaknesses contributing to the high-severity vulnerabilities are Use After Free affecting 140 high-severity CVEs and Improper Access Control affecting 118 high-severity CVEs.
Page 18 Spotlight • RiskSense Vulnerability Weaponization Insights
5. Vulnerabilities by Weakness (Continued)
Vulnerability Weaknesses Over All YearsFigure 5(b) shows the top 3 vulnerability weakness types contributing to each year. It can be observed that Buffer Overflow weakness, CWE-119, contributes to the highest number of weaknesses consistently from year 2007 until 2018 contributing to 129 and 269 CVEs in 2015 and 2016 respectively. In other words, Buffer Overflow weakness contributed to the spike in the increase of vulnerabilities disclosed in 2015 and 2016 that we referenced previously.
RiskSense Vulnerability Weaponization Insights • April 2019
³ https://cwe.mitre.org/data/definitions/700.html
Table 5(b): Programming Errors Mapped to Vulnerability Types
Vulnerability Type Programming Practice
Buffer Overflow
Out-of-bounds Read
Use After Free
Information Exposure
Improper Access Control
Input Validation and Representation
Input Validation and Representation
Code Quality
Encapsulation
Security Features
Figure 5(c): CWE to Threat Type Mappings
Page 19 Spotlight • RiskSense Vulnerability Weaponization Insights
5. Vulnerabilities by Weakness (Continued)
Now, let's look at the coding errors that have actually introduced these weaknesses into Adobe products. We use the Seven Pernicious Kingdoms³ (7PK) taxonomy for this. The 7PK taxonomy is a simple taxonomy that organizes coding errors, helping developers to recognize the categories of problems leading to security vulnerabilities. The taxonomy also helps developers identify existing errors while designing and developing software. Table 5(b) shows the mapping between the
prevalent weaknesses in Adobe-related vulnerabilities to relevant coding errors using the 7PK taxonomy.
From Figure 5(c), it can be observed that the top three weaknesses that contribute to the total exploit instances are CWE-119 (Buffer Overflow), CWE-416 (Use After Free) and CWE-94 (Injection). Together, these weaknesses contribute to 938 unique vulnerability-exploit pairs. Buffer Overflow weakness has been exploited in 247 unique CVEs, resulting in 673 unique vulnerability-exploit pairs. Similarly, the Use After Free weakness has been exploited in 43 unique CVEs, resulting in 212 vulnerability-exploit pairs and the Injection weakness has been exploited in 9 unique CVEs, resulting in 53 unique vulnerability-exploit pairs.
We show the relationship between the weakness and threat categories in Figure 5(c) and further expand this to different threat types in Figure 5(d).
RiskSense Vulnerability Weaponization Insights • April 2019
Weaknesses to ThreatsWe will now identify the relationship between the underlying weaknesses and threat categories of exploit and malware. Threat authors take advantage of underlying vulnerabilities in software to successfully execute their exploits or malicious code. Such vulnerabilities are introduced due to weaknesses resulting from poor coding practices. Therefore, a relationship between the weaknesses and correlated threats can be established by pivoting on the underlying vulnerability.
It can be observed that CWE-125 (Out-of-bounds Read) is the primary contributor to Trojan type malware, followed by CWE-119 (Buffer Overflow). Further, the Buffer Overflow weakness is also a contributor to DoS, RCE, and PE threat types. We have already established above how the increase in the Buffer Overflow weakness-based vulnerabilities have contributed to the steep rise in the total number of vulnerabilities. Here, by showing their
relationship to the threat types, it can be inferred that the Buffer Overflow weakness introduced the highest number of multiple threat types to Adobe products like DoS, RCE, PE-based exploits, and Trojan malware. In the next section, we will see which Adobe products are most affected by these combinations of weaknesses and threats.
Page 20 Spotlight • RiskSense Vulnerability Weaponization Insights
5. Vulnerabilities by Weakness (Continued)
The top 3 weaknesses contributing to the malware category are: CWE-125 (Out-of-bounds Read), CWE-119 (Buffer Overflow), and CWE-399 (Resource Mismanagement). Together, the above weaknesses contribute to 1,047 unique vulnerability-malware pairs. The Out-of-bounds Read weakness has been exploited in 109 unique vulnerabilities, resulting in 905 unique vulnerability-malware pairs. The Buffer Overflow weakness has been exploited in 7 unique CVEs, resulting in 117 unique CVE-malware pairs. The Resource Mismanagement weakness has been exploited in 5 unique CVEs resulting in 25 unique CVE-malware pairs.
Figure 5(d): CWE to Threat Category Mappings
We will delve deep into the correlation between weaknesses and threat types, i.e., the exploit and malware types. Figure 5(d) depicts this relationship where the weaknesses are mapped to applicable threat types. As explained in the methodology section above, the threat type labeling is derived from several attributes of a given exploit code or malware. The exploit category is further labelled as RCE, DoS, Web Apps, and PE threat types and the malware category is further labelled as Trojan, Exploit Kits, and Ransomware. Wherever threat type labelling was not possible due to lack of sufficient quality data, the threat type is retained as either malware or exploit.
RiskSense Vulnerability Weaponization Insights • April 2019
Figure 6(a): Top 5 Products Contributing to the Overall Vulnerability Count
Figure 6(b): Top 5 Products Contributing to the High-Severity Vulnerabilities
Adobe Acrobat Reader42%
Flash Player41%
Shockwave Player7%
Digital Editions
1%
Photoshop
1%
In this section, we will review the products contributing to Adobe-related vulnerabilities over all the years. Specifically, we look at the product families that are contributing to these vulnerabilities. Though Adobe has an extensive lineup of products, there are two major families under which most of their products can be categorized: the Acrobat/Reader family and the Flash family. All products within each family are susceptible to the same set of CVEs since they use the same underlying code constructs and architecture. For example, Adobe Reader and Acrobat are vulnerable to same set of CVEs since they are built on the same platform. When a certain product of a family has CVEs specific to it, we have attributed those CVEs to that product alone while other CVEs that are common to all products in the family are attributed to the entire family.
Let's begin by looking at the top 5 products contributing to the overall vulnerability count over the years, shown in Figure 6(a). The top two contributors are the Acrobat/Reader and Flash products. Together they contribute to nearly 80% (2,421) of all Adobe vulnerabilities. Acrobat/Reader contributes 1,338 vulnerabilities while the Flash Player contributes 1,083 vulnerabilities.
Page 21 Spotlight • RiskSense Vulnerability Weaponization Insights
6. Product Details
The top 5 products contributing to the high-severity vulnerabilities are shown in figure 6(b). The order between the products contributing to the overall vulnerability count and the high-severity vulnerability count remains the same for the top 4 products, i.e., Adobe Acrobat and Reader with 983 CVEs, Flash Player with 953 CVEs, Shockwave Player with 167 CVEs and Digital Editions with 27 CVEs. Photoshop takes the fifth position for having most number of high-severity vulnerabilities with a count of 25 CVEs.
Acrobat/Reader and Flash products are the highest contributors to the total vulnerability count and high-severity vulnerability count. Together they contributed 2,421 vulnerabilities to the total count and 1,936 to the high-severity count across all the years.
Figure 6(c) shows the top 3 products contributing to the overall vulnerability count. As expected, Acrobat/Reader and Flash products take the lead over all years. Further, a leap in the overall vulnerability count in 2015 and beyond can be attributed to these two products. Especially Acrobat/Reader which has 137, 227, 211, and 289 vulnerabilities from 2015–2018, respectively. Though Flash also has high vulnerability counts across 2015–2018 (338, 257, 70, and 24 CVEs respectively), it
can be observed that Flash product vulnerabilities are decreasing rapidly since 2017. This is most likely due to online content media moving away from Flash as a delivery mechanism, thus making it a less attractive target for malicious hackers. Additionally, this reduction in Flash’s vulnerability count does not necessarily mean that it's becoming more secure. Note that Flash still has critical vulnerabilities that have been used in propagating Exploit Kits in 2017 and 2018.
Adobe Acrobat Reader44%
Flash Player35%
Shockwave Player6%
ColdFusion3%
Digital Editions
2%
RiskSense Vulnerability Weaponization Insights • April 2019
Adobe's introduction of Acrobat DC in 2015 is the key contributor to the increase in Acrobat product vulnerabilities. This indicates that Adobe’s venture into cloud-based product delivery did not have sufficient application threat modeling in place during the product’s design and development phases.
We will now map the threat to weakness pairs shown in previous sections to their respective Adobe products.
Figure 6(d) illustrates this relationship. We show how each product is susceptible to certain threats due to the weaknesses introduced during their development. While Out-of-bounds Read (CWE-125) is the key weakness in Acrobat/Reader, Buffer Overflow (CWE-119) takes the top spot for the Flash product. The figure also shows the resulting threat types from such weaknesses introduced into each product line. Especially, exploit kits targeting Flash products are often made possible by the
In this report we have analyzed Adobe product-related vulnerabilities over the last 20 years, their likely causes, and how they have resulted in threats in the real world. This analysis clearly highlights the importance of evaluating vulnerabilities in the context of weaponization. We have seen that large numbers of vulnerabilities do not always translate to real-world threats. Conversely, the data shows that years with fewer vulnerabilities can result in more overall weaponization and risk for the enterprise. As such, an up-to-date view of vulnerability weaponization is essential for making good information security decisions and prioritizing an organization’s efforts.
Our analysis of vulnerability lifecycle metrics like TTD, TTW, and TTP emphasizes the need a timely threat-centric remediation approach. This is especially important, considering the time latency between vulnerability disclosure, weaponization, and patch times. Such a threat-centric approach can allow organizations to stay ahead of the threats that pose the greatest risk.
Finally, we have enumerated the software weaknesses that are responsible for vulnerabilities in Adobe products and how these weaknesses ultimately map to threats in the wild. These insights should be valuable to all developers, and further highlight the criticality of secure coding and development practices.
We ultimately hope that this long-term, lifecycle view of vulnerabilities leads to more secure products and more secure organizations. Product development, vulnerability discovery and reporting, and threat weaponization all come together to ultimately define an organization’s risk. While Adobe products are only a slice of an organization’s software footprint, we hope that this analysis provides a model that can extend to all enterprise software and assets.
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
100 200 250150500
Acrobat ReaderColdfusion
Flash Player
8
257
211
33
Flash PlayerAcrobat Reader
Acrobat ReaderFlash PlayerColdFusion
Acrobat ReaderFlash Player
Flex
Acrobat ReaderFlash Player
Shockwave Player
Acrobat ReaderFlash Player
Shockwave Player
Flash PlayerAcrobat Reader
Shockwave Player
Acrobat ReaderFlash PlayerColdFusion
Flash PlayerAdobe Reader
ColdFusion
Flash PlayerAcrobat Reader
ColdFusion
Flash PlayerAcrobat Reader
Experience Manager
Acrobat ReaderFlash Player
Digital Editions
Acrobat ReaderFlash Player
ColdFusion
300
1996-2004
2005
Adobe ReaderAdobe Content Server
Digital Editions
Acrobat ReaderFlash PlayerVersion Cue
316
2
833
77
1310
2020
5
5023
13
9160
52
11863
56
6842
28
6756
13
8042
5
137338
6
22713
70
22924
14
350
Figure 6(c): Top 3 Products Contributing to the Vulnerabilities Each Year
In this section, we will review the products contributing to Adobe-related vulnerabilities over all the years. Specifically, we look at the product families that are contributing to these vulnerabilities. Though Adobe has an extensive lineup of products, there are two major families under which most of their products can be categorized: the Acrobat/Reader family and the Flash family. All products within each family are susceptible to the same set of CVEs since they use the same underlying code constructs and architecture. For example, Adobe Reader and Acrobat are vulnerable to same set of CVEs since they are built on the same platform. When a certain product of a family has CVEs specific to it, we have attributed those CVEs to that product alone while other CVEs that are common to all products in the family are attributed to the entire family.
Let's begin by looking at the top 5 products contributing to the overall vulnerability count over the years, shown in Figure 6(a). The top two contributors are the Acrobat/Reader and Flash products. Together they contribute to nearly 80% (2,421) of all Adobe vulnerabilities. Acrobat/Reader contributes 1,338 vulnerabilities while the Flash Player contributes 1,083 vulnerabilities.
Page 22 Spotlight • RiskSense Vulnerability Weaponization Insights
6. Product Details (Continued)
The top 5 products contributing to the high-severity vulnerabilities are shown in figure 6(b). The order between the products contributing to the overall vulnerability count and the high-severity vulnerability count remains the same for the top 4 products, i.e., Adobe Acrobat and Reader with 983 CVEs, Flash Player with 953 CVEs, Shockwave Player with 167 CVEs and Digital Editions with 27 CVEs. Photoshop takes the fifth position for having most number of high-severity vulnerabilities with a count of 25 CVEs.
Acrobat/Reader and Flash products are the highest contributors to the total vulnerability count and high-severity vulnerability count. Together they contributed 2,421 vulnerabilities to the total count and 1,936 to the high-severity count across all the years.
Figure 6(c) shows the top 3 products contributing to the overall vulnerability count. As expected, Acrobat/Reader and Flash products take the lead over all years. Further, a leap in the overall vulnerability count in 2015 and beyond can be attributed to these two products. Especially Acrobat/Reader which has 137, 227, 211, and 289 vulnerabilities from 2015–2018, respectively. Though Flash also has high vulnerability counts across 2015–2018 (338, 257, 70, and 24 CVEs respectively), it
can be observed that Flash product vulnerabilities are decreasing rapidly since 2017. This is most likely due to online content media moving away from Flash as a delivery mechanism, thus making it a less attractive target for malicious hackers. Additionally, this reduction in Flash’s vulnerability count does not necessarily mean that it's becoming more secure. Note that Flash still has critical vulnerabilities that have been used in propagating Exploit Kits in 2017 and 2018.
Buffer Overflow weakness. Further, the Buffer Overflow weakness is responsible for the majority of RCE. To summarize, Flash products have the Buffer Overflow weakness that has led to DoS and RCE-based threats.
RiskSense Vulnerability Weaponization Insights • April 2019
Adobe's introduction of Acrobat DC in 2015 is the key contributor to the increase in Acrobat product vulnerabilities. This indicates that Adobe’s venture into cloud-based product delivery did not have sufficient application threat modeling in place during the product’s design and development phases.
We will now map the threat to weakness pairs shown in previous sections to their respective Adobe products.
Figure 6(d) illustrates this relationship. We show how each product is susceptible to certain threats due to the weaknesses introduced during their development. While Out-of-bounds Read (CWE-125) is the key weakness in Acrobat/Reader, Buffer Overflow (CWE-119) takes the top spot for the Flash product. The figure also shows the resulting threat types from such weaknesses introduced into each product line. Especially, exploit kits targeting Flash products are often made possible by the
In this report we have analyzed Adobe product-related vulnerabilities over the last 20 years, their likely causes, and how they have resulted in threats in the real world. This analysis clearly highlights the importance of evaluating vulnerabilities in the context of weaponization. We have seen that large numbers of vulnerabilities do not always translate to real-world threats. Conversely, the data shows that years with fewer vulnerabilities can result in more overall weaponization and risk for the enterprise. As such, an up-to-date view of vulnerability weaponization is essential for making good information security decisions and prioritizing an organization’s efforts.
Our analysis of vulnerability lifecycle metrics like TTD, TTW, and TTP emphasizes the need a timely threat-centric remediation approach. This is especially important, considering the time latency between vulnerability disclosure, weaponization, and patch times. Such a threat-centric approach can allow organizations to stay ahead of the threats that pose the greatest risk.
Finally, we have enumerated the software weaknesses that are responsible for vulnerabilities in Adobe products and how these weaknesses ultimately map to threats in the wild. These insights should be valuable to all developers, and further highlight the criticality of secure coding and development practices.
We ultimately hope that this long-term, lifecycle view of vulnerabilities leads to more secure products and more secure organizations. Product development, vulnerability discovery and reporting, and threat weaponization all come together to ultimately define an organization’s risk. While Adobe products are only a slice of an organization’s software footprint, we hope that this analysis provides a model that can extend to all enterprise software and assets.
Page 23 Spotlight • RiskSense Vulnerability Weaponization Insights
6. Product Details (Continued)
Figure 6(d): Products Mapped to Threats and Vulnerability Types
Buffer Overflow weakness. Further, the Buffer Overflow weakness is responsible for the majority of RCE. To summarize, Flash products have the Buffer Overflow weakness that has led to DoS and RCE-based threats.
RiskSense Vulnerability Weaponization Insights • April 2019
Conclusion
Adobe's introduction of Acrobat DC in 2015 is the key contributor to the increase in Acrobat product vulnerabilities. This indicates that Adobe’s venture into cloud-based product delivery did not have sufficient application threat modeling in place during the product’s design and development phases.
We will now map the threat to weakness pairs shown in previous sections to their respective Adobe products.
Figure 6(d) illustrates this relationship. We show how each product is susceptible to certain threats due to the weaknesses introduced during their development. While Out-of-bounds Read (CWE-125) is the key weakness in Acrobat/Reader, Buffer Overflow (CWE-119) takes the top spot for the Flash product. The figure also shows the resulting threat types from such weaknesses introduced into each product line. Especially, exploit kits targeting Flash products are often made possible by the
In this report we have analyzed Adobe product-related vulnerabilities over the last 20 years, their likely causes, and how they have resulted in threats in the real world. This analysis clearly highlights the importance of evaluating vulnerabilities in the context of weaponization. We have seen that large numbers of vulnerabilities do not always translate to real-world threats. Conversely, the data shows that years with fewer vulnerabilities can result in more overall weaponization and risk for the enterprise. As such, an up-to-date view of vulnerability weaponization is essential for making good information security decisions and prioritizing an organization’s efforts.
Our analysis of vulnerability lifecycle metrics like TTD, TTW, and TTP emphasizes the need a timely threat-centric remediation approach. This is especially important, considering the time latency between vulnerability disclosure, weaponization, and patch times. Such a threat-centric approach can allow organizations to stay ahead of the threats that pose the greatest risk.
Finally, we have enumerated the software weaknesses that are responsible for vulnerabilities in Adobe products and how these weaknesses ultimately map to threats in the wild. These insights should be valuable to all developers, and further highlight the criticality of secure coding and development practices.
We ultimately hope that this long-term, lifecycle view of vulnerabilities leads to more secure products and more secure organizations. Product development, vulnerability discovery and reporting, and threat weaponization all come together to ultimately define an organization’s risk. While Adobe products are only a slice of an organization’s software footprint, we hope that this analysis provides a model that can extend to all enterprise software and assets.
Page 24 Spotlight • RiskSense Vulnerability Weaponization Insights
Buffer Overflow weakness. Further, the Buffer Overflow weakness is responsible for the majority of RCE. To summarize, Flash products have the Buffer Overflow weakness that has led to DoS and RCE-based threats.
RiskSense Vulnerability Weaponization Insights • April 2019
YEAR TOTAL COUNT LOW MEDIUM HIGH THREATS
TOTAL
2005
1996-2004
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2006
2007
24
17
63
99
208
203
149
149
139
496
538
359
374
2891
34
39
9
6
28
25
24
36
14
7
24
66
58
99
253
694
18
27
12
7
34
73
183
167
135
141
115
429
480
260
121
2176
7
12
6
5
16
24
38
16
9
16
22
176
125
74
177
721
3
14
3
21
1
1
1
0
0
1
0
1
0
0
0
9
0
Page 25 Spotlight • RiskSense Vulnerability Weaponization Insights
Appendix A
Total number of vulnerabilities by year categorized by their severity.
RiskSense Vulnerability Weaponization Insights • April 2019
Nessus Nexpose Qualys
CVE-1999-0133
CVE-1999-1576
CVE-2000-0713
CVE-2001-1069
CVE-2002-0030
CVE-2002-1016
CVE-2002-1017
CVE-2002-1018
CVE-2002-1019
CVE-2002-1020
CVE-2002-1601
CVE-2002-1764
CVE-2003-0142
CVE-2003-0284
CVE-2003-0508
CVE-2004-0194
CVE-2004-0629
CVE-2004-0632
CVE-2004-1153
CVE-2004-1598
CVE-2005-0035
CVE-2005-0151
CVE-2005-0492
CVE-2005-0918
CVE-2005-1307
CVE-2005-1347
CVE-2005-1842
CVE-2005-1843
CVE-2005-4708
CVE-2006-0525
CVE-2006-1628
CVE-1999-0133
CVE-2001-1069
CVE-2002-1016
CVE-2002-1017
CVE-2002-1018
CVE-2002-1019
CVE-2002-1020
CVE-2002-1601
CVE-2002-1764
CVE-2003-0508
CVE-2003-1017
CVE-2005-0151
CVE-2005-0918
CVE-2005-1307
CVE-2005-1347
CVE-2005-1842
CVE-2005-1843
CVE-2005-3525
CVE-2005-4708
CVE-2006-0525
CVE-2006-1182
CVE-2006-1627
CVE-2006-1628
CVE-2006-1785
CVE-1999-0133
CVE-1999-1576
CVE-2000-0713
CVE-2001-1069
CVE-2002-0030
CVE-2002-1016
CVE-2002-1017
CVE-2002-1018
CVE-2002-1019
CVE-2002-1020
CVE-2002-1601
CVE-2002-1764
CVE-2003-0142
CVE-2003-0284
CVE-2003-0434
CVE-2003-0508
CVE-2003-1017
CVE-2004-0630
CVE-2004-0631
CVE-2004-1152
CVE-2005-0151
CVE-2005-0918
CVE-2005-1307
CVE-2005-1347
CVE-2005-1841
CVE-2005-1842
CVE-2005-1843
CVE-2005-3525
CVE-2005-3591
CVE-2005-4708
CVE-2006-0525
CVE-2006-1182
CVE-2006-1627
CVE-2006-1628
Nessus Nexpose Qualys
CVE-2006-2042
CVE-2006-3452
CVE-2006-4726
CVE-2006-5549
CVE-2006-5859
CVE-2006-5860
CVE-2006-6482
CVE-2007-1278
CVE-2007-1279
CVE-2007-1280
CVE-2007-1377
CVE-2007-2244
CVE-2007-2365
CVE-2007-2682
CVE-2007-3640
CVE-2007-5169
CVE-2007-5905
CVE-2007-5941
CVE-2007-6253
CVE-2008-0642
CVE-2006-1786
CVE-2006-1787
CVE-2006-1788
CVE-2006-2042
CVE-2006-3978
CVE-2006-3979
CVE-2006-4724
CVE-2006-4725
CVE-2006-4726
CVE-2006-5199
CVE-2006-5200
CVE-2006-5549
CVE-2006-5856
CVE-2006-5858
CVE-2006-5859
CVE-2006-5860
CVE-2006-6482
CVE-2006-6483
CVE-2007-0103
CVE-2007-0817
CVE-2007-1278
CVE-2007-1279
CVE-2007-1280
CVE-2007-1377
CVE-2007-1874
CVE-2007-2244
CVE-2007-2365
CVE-2007-2682
CVE-2007-3101
CVE-2007-3640
CVE-2007-4651
CVE-2007-5169
CVE-2007-5394
CVE-2007-5905
CVE-2007-5941
CVE-2007-6021
CVE-2007-6148
CVE-2007-6149
CVE-2007-6253
CVE-2007-6431
CVE-2007-6432
CVE-2008-0642
CVE-2006-1786
CVE-2006-1787
CVE-2006-1788
CVE-2006-2042
CVE-2006-3978
CVE-2006-3979
CVE-2006-4724
CVE-2006-4725
CVE-2006-4726
CVE-2006-5199
CVE-2006-5200
CVE-2006-5549
CVE-2006-5859
CVE-2006-5860
CVE-2006-6482
CVE-2007-0103
CVE-2007-1199
CVE-2007-1278
CVE-2007-1279
CVE-2007-1280
CVE-2007-1377
CVE-2007-1874
CVE-2007-2682
CVE-2007-3101
CVE-2007-3640
CVE-2007-4651
CVE-2007-5169
CVE-2007-5394
CVE-2007-5905
CVE-2007-5941
CVE-2007-6021
CVE-2007-6148
CVE-2007-6149
CVE-2007-6253
CVE-2007-6431
CVE-2007-6432
CVE-2008-0642
Nessus Nexpose Qualys
CVE-2008-0643
CVE-2008-0644
CVE-2008-1201
CVE-2008-1202
CVE-2008-1203
CVE-2008-1656
CVE-2008-1765
CVE-2008-3515
CVE-2008-3516
CVE-2008-3961
CVE-2008-4071
CVE-2008-4473
CVE-2008-4831
CVE-2008-5109
CVE-2008-5331
CVE-2008-6062
CVE-2009-0524
CVE-2009-1877
CVE-2009-1878
CVE-2009-1879
CVE-2009-2186
CVE-2009-3467
CVE-2009-4764
CVE-2010-0185
CVE-2010-0378
CVE-2008-0643
CVE-2008-0644
CVE-2008-1201
CVE-2008-1202
CVE-2008-1203
CVE-2008-1656
CVE-2008-1765
CVE-2008-2640
CVE-2008-2991
CVE-2008-3515
CVE-2008-3516
CVE-2008-3961
CVE-2008-4071
CVE-2008-4473
CVE-2008-4831
CVE-2008-5108
CVE-2008-5109
CVE-2008-5331
CVE-2008-5364
CVE-2008-6062
CVE-2009-0523
CVE-2009-0524
CVE-2009-1365
CVE-2009-1872
CVE-2009-1873
CVE-2009-1874
CVE-2009-1875
CVE-2009-1876
CVE-2009-1877
CVE-2009-1878
CVE-2009-1879
CVE-2009-2186
CVE-2009-2265
CVE-2009-3068
CVE-2009-3467
CVE-2009-3489
CVE-2009-3791
CVE-2009-3792
CVE-2009-3952
CVE-2009-4195
CVE-2009-4764
CVE-2010-0185
CVE-2010-0189
CVE-2010-0378
CVE-2008-0644
CVE-2008-1202
CVE-2008-1203
CVE-2008-1656
CVE-2008-1765
CVE-2008-2640
CVE-2008-2991
CVE-2008-3515
CVE-2008-3516
CVE-2008-4071
CVE-2008-4831
CVE-2008-5109
CVE-2008-5331
CVE-2008-6062
CVE-2009-0523
CVE-2009-0524
CVE-2009-1873
CVE-2009-1874
CVE-2009-1876
CVE-2009-1877
CVE-2009-1878
CVE-2009-1879
CVE-2009-3489
CVE-2009-4764
CVE-2010-0378
Page 26 Spotlight • RiskSense Vulnerability Weaponization Insights
Appendix B
Adobe vulnerabilities (CVEs) not identified by Tenable (Nessus), Rapid7 (Nexpose), and Qualys scanners.
RiskSense Vulnerability Weaponization Insights • April 2019
Nessus Nexpose Qualys
CVE-2010-0379
CVE-2010-1279
CVE-2010-1294
CVE-2010-1296
CVE-2010-2321
CVE-2010-2885
CVE-2010-2886
CVE-2010-3132
CVE-2010-3149
CVE-2010-3150
CVE-2010-3151
CVE-2010-3153
CVE-2010-3154
CVE-2010-3155
CVE-2010-3191
CVE-2010-3975
CVE-2010-5212
CVE-2010-5213
CVE-2010-5258
CVE-2010-5270
CVE-2010-5290
CVE-2011-0568
CVE-2011-0733
CVE-2011-0734
CVE-2010-0379
CVE-2010-1279
CVE-2010-1293
CVE-2010-1294
CVE-2010-1296
CVE-2010-2217
CVE-2010-2218
CVE-2010-2219
CVE-2010-2220
CVE-2010-2321
CVE-2010-2885
CVE-2010-2886
CVE-2010-3127
CVE-2010-3132
CVE-2010-3149
CVE-2010-3150
CVE-2010-3151
CVE-2010-3152
CVE-2010-3153
CVE-2010-3154
CVE-2010-3155
CVE-2010-3191
CVE-2010-3633
CVE-2010-3634
CVE-2010-3635
CVE-2010-3975
CVE-2010-5212
CVE-2010-5213
CVE-2010-5258
CVE-2010-5270
CVE-2010-5290
CVE-2011-0580
CVE-2011-0581
CVE-2011-0582
CVE-2011-0583
CVE-2011-0584
CVE-2011-0612
CVE-2011-0613
CVE-2011-0614
CVE-2011-0615
CVE-2011-0629
CVE-2011-0733
CVE-2011-0734
CVE-2010-0379
CVE-2010-2321
CVE-2010-2885
CVE-2010-2886
CVE-2010-3132
CVE-2010-3149
CVE-2010-3150
CVE-2010-3151
CVE-2010-3153
CVE-2010-3154
CVE-2010-3155
CVE-2010-3975
CVE-2010-5212
CVE-2010-5213
CVE-2010-5258
CVE-2010-5270
CVE-2010-5290
CVE-2011-0613
CVE-2011-0614
CVE-2011-0615
CVE-2011-0733
CVE-2011-0734
Nessus Nexpose Qualys
CVE-2011-0735
CVE-2011-0736
CVE-2011-0737
CVE-2011-2123
CVE-2011-2443
CVE-2011-4693
CVE-2011-4694
CVE-2012-0771
CVE-2012-6270
CVE-2012-6271
CVE-2012-6637
CVE-2011-0735
CVE-2011-0736
CVE-2011-0737
CVE-2011-2091
CVE-2011-2131
CVE-2011-2132
CVE-2011-2133
CVE-2011-2164
CVE-2011-2443
CVE-2011-2463
CVE-2011-4368
CVE-2011-4693
CVE-2011-4694
CVE-2012-0275
CVE-2012-0765
CVE-2012-0770
CVE-2012-0778
CVE-2012-0780
CVE-2012-2023
CVE-2012-2024
CVE-2012-2025
CVE-2012-2026
CVE-2012-2027
CVE-2012-2028
CVE-2012-2041
CVE-2012-2042
CVE-2012-2048
CVE-2012-2052
CVE-2012-4170
CVE-2012-5674
CVE-2012-5675
CVE-2012-5679
CVE-2012-5680
CVE-2012-6270
CVE-2012-6271
CVE-2012-6637
CVE-2011-0735
CVE-2011-0736
CVE-2011-0737
CVE-2011-2092
CVE-2011-2093
CVE-2011-2164
CVE-2011-2443
CVE-2011-2461
CVE-2012-0765
CVE-2012-0770
CVE-2012-0771
CVE-2012-0778
CVE-2012-0780
CVE-2012-2023
CVE-2012-2024
CVE-2012-2025
CVE-2012-2026
CVE-2012-2027
CVE-2012-2028
CVE-2012-2042
CVE-2012-2048
CVE-2012-2052
CVE-2012-4171
CVE-2012-4363
CVE-2012-5679
CVE-2012-5680
CVE-2012-6637
Nessus Nexpose Qualys
CVE-2014-0514
CVE-2014-1881
CVE-2014-1882
CVE-2014-1883
CVE-2014-1884
CVE-2015-0343
CVE-2015-0344
CVE-2015-7829
CVE-2016-0948
CVE-2016-0949
CVE-2016-0950
CVE-2016-0955
CVE-2016-0956
CVE-2016-0957
CVE-2013-1387
CVE-2013-1388
CVE-2013-3349
CVE-2013-3350
CVE-2013-5325
CVE-2013-5326
CVE-2013-5327
CVE-2013-5328
CVE-2014-0513
CVE-2014-0514
CVE-2014-0570
CVE-2014-0571
CVE-2014-0572
CVE-2014-1881
CVE-2014-1882
CVE-2014-1883
CVE-2014-1884
CVE-2014-5315
CVE-2014-9166
CVE-2015-0343
CVE-2015-0344
CVE-2015-0345
CVE-2015-1773
CVE-2015-3109
CVE-2015-3110
CVE-2015-3111
CVE-2015-3112
CVE-2015-3269
CVE-2015-5255
CVE-2015-7829
CVE-2015-8458
CVE-2016-0948
CVE-2016-0949
CVE-2016-0950
CVE-2016-0951
CVE-2016-0952
CVE-2016-0953
CVE-2016-0955
CVE-2016-0956
CVE-2016-0957
CVE-2014-0514
CVE-2014-1881
CVE-2014-1882
CVE-2014-1883
CVE-2014-1884
CVE-2014-5315
CVE-2015-0343
CVE-2015-0344
CVE-2015-1773
CVE-2015-5566
CVE-2015-5965
CVE-2015-7829
CVE-2015-8051
CVE-2015-8458
CVE-2016-0955
CVE-2016-0956
CVE-2016-0957
Page 27 Spotlight • RiskSense Vulnerability Weaponization Insights
Appendix B (Continued)
Adobe vulnerabilities (CVEs) not identified by Tenable (Nessus), Rapid7 (Nexpose), and Qualys scanners.
RiskSense Vulnerability Weaponization Insights • April 2019
Nessus Nexpose Qualys
CVE-2016-0958
CVE-2016-1036
CVE-2016-4095
CVE-2016-4118
CVE-2016-4164
CVE-2016-4165
CVE-2016-4167
CVE-2016-4168
CVE-2016-4169
CVE-2016-4170
CVE-2016-4216
CVE-2016-4253
CVE-2016-6933
CVE-2016-6934
CVE-2016-6980
CVE-2016-7856
CVE-2016-7866
CVE-2016-7882
CVE-2016-7883
CVE-2016-7884
CVE-2016-7885
CVE-2016-7886
CVE-2016-7887
CVE-2017-11240
CVE-2017-11250
CVE-2017-11253
CVE-2016-0958
CVE-2016-1034
CVE-2016-1035
CVE-2016-1036
CVE-2016-1113
CVE-2016-1114
CVE-2016-1115
CVE-2016-4118
CVE-2016-4157
CVE-2016-4158
CVE-2016-4159
CVE-2016-4164
CVE-2016-4165
CVE-2016-4167
CVE-2016-4168
CVE-2016-4169
CVE-2016-4170
CVE-2016-4216
CVE-2016-4253
CVE-2016-4264
CVE-2016-6933
CVE-2016-6934
CVE-2016-6935
CVE-2016-6936
CVE-2016-7851
CVE-2016-7856
CVE-2016-7866
CVE-2016-7882
CVE-2016-7883
CVE-2016-7884
CVE-2016-7885
CVE-2016-7886
CVE-2016-7887
CVE-2016-7891
CVE-2017-11283
CVE-2017-11284
CVE-2016-0958
CVE-2016-0959
CVE-2016-1036
CVE-2016-4118
CVE-2016-4167
CVE-2016-4168
CVE-2016-4169
CVE-2016-4170
CVE-2016-4216
CVE-2016-4253
CVE-2016-6933
CVE-2016-6934
CVE-2016-6936
CVE-2016-6980
CVE-2016-7852
CVE-2016-7853
CVE-2016-7854
CVE-2016-7882
CVE-2016-7883
CVE-2016-7884
CVE-2016-7885
CVE-2017-11240
CVE-2017-11250
CVE-2017-11253
Nessus Nexpose Qualys
CVE-2017-11295
CVE-2017-11296
CVE-2017-11302
CVE-2017-11306
CVE-2017-11307
CVE-2017-11308
CVE-2017-2929
CVE-2017-2968
CVE-2017-2969
CVE-2017-2970
CVE-2017-2971
CVE-2017-2972
CVE-2017-2989
CVE-2017-3067
CVE-2017-3098
CVE-2017-3107
CVE-2017-3108
CVE-2017-11285
CVE-2017-11286
CVE-2017-11287
CVE-2017-11288
CVE-2017-11289
CVE-2017-11290
CVE-2017-11291
CVE-2017-11295
CVE-2017-11296
CVE-2017-11302
CVE-2017-11303
CVE-2017-11304
CVE-2017-2929
CVE-2017-2968
CVE-2017-2969
CVE-2017-2989
CVE-2017-3004
CVE-2017-3005
CVE-2017-3006
CVE-2017-3007
CVE-2017-3008
CVE-2017-3017
CVE-2017-3023
CVE-2017-3029
CVE-2017-3035
CVE-2017-3041
CVE-2017-3047
CVE-2017-3053
CVE-2017-3066
CVE-2017-3067
CVE-2017-3087
CVE-2017-3098
CVE-2017-3101
CVE-2017-3102
CVE-2017-3103
CVE-2017-3104
CVE-2017-3105
CVE-2017-3107
CVE-2017-3108
CVE-2017-11296
CVE-2017-11307
CVE-2017-11308
CVE-2017-2929
CVE-2017-2968
CVE-2017-2969
CVE-2017-2970
CVE-2017-2971
CVE-2017-2972
CVE-2017-2989
CVE-2017-3067
CVE-2017-3098
CVE-2017-3107
CVE-2017-3108
Nessus Nexpose Qualys
CVE-2017-3109
CVE-2017-3110
CVE-2017-3111
CVE-2018-12806
CVE-2018-12807
CVE-2018-12809
CVE-2018-15969
CVE-2018-15970
CVE-2018-15971
CVE-2018-15972
CVE-2018-15973
CVE-2018-4875
CVE-2018-4876
CVE-2018-4929
CVE-2018-4930
CVE-2018-4931
CVE-2017-3109
CVE-2017-3110
CVE-2017-3111
CVE-2018-12804
CVE-2018-12805
CVE-2018-12806
CVE-2018-12807
CVE-2018-12809
CVE-2018-12810
CVE-2018-12811
CVE-2018-12829
CVE-2018-15957
CVE-2018-15958
CVE-2018-15959
CVE-2018-15960
CVE-2018-15961
CVE-2018-15962
CVE-2018-15963
CVE-2018-15964
CVE-2018-15965
CVE-2018-15969
CVE-2018-15970
CVE-2018-15971
CVE-2018-15972
CVE-2018-15973
CVE-2018-15974
CVE-2018-15980
CVE-2018-4873
CVE-2018-4875
CVE-2018-4876
CVE-2018-4921
CVE-2018-4923
CVE-2018-4924
CVE-2018-4927
CVE-2018-4928
CVE-2018-4929
CVE-2018-4930
CVE-2018-4931
CVE-2018-4938
CVE-2018-4939
CVE-2018-4940
CVE-2018-4941
CVE-2017-3109
CVE-2017-3110
CVE-2017-3111
CVE-2018-12806
CVE-2018-12807
CVE-2018-12809
CVE-2018-12812
CVE-2018-12823
CVE-2018-15969
CVE-2018-15970
CVE-2018-15971
CVE-2018-15972
CVE-2018-15973
CVE-2018-4875
CVE-2018-4876
CVE-2018-4929
CVE-2018-4930
CVE-2018-4931
Page 28 Spotlight • RiskSense Vulnerability Weaponization Insights
Appendix B (Continued)
Adobe vulnerabilities (CVEs) not identified by Tenable (Nessus), Rapid7 (Nexpose), and Qualys scanners.
RiskSense Vulnerability Weaponization Insights • April 2019
Nessus Nexpose Qualys
CVE-2018-4943
CVE-2018-4997
CVE-2018-4998
CVE-2018-4999
CVE-2018-5004
CVE-2018-5005
CVE-2018-5006
CVE-2018-4942
CVE-2018-4943
CVE-2018-4991
CVE-2018-4992
CVE-2018-5003
CVE-2018-5004
CVE-2018-5005
CVE-2018-5006
CVE-2018-4943
CVE-2018-4997
CVE-2018-4998
CVE-2018-4999
CVE-2018-5004
CVE-2018-5005
CVE-2018-5006
Page 29 Spotlight • RiskSense Vulnerability Weaponization Insights
Appendix B (Continued)
Adobe vulnerabilities (CVEs) not identified by Tenable (Nessus), Rapid7 (Nexpose), and Qualys scanners.
RiskSense Vulnerability Weaponization Insights • April 2019
© 2019 RiskSense, Inc. All rights reserved. RiskSense and the RiskSense logo are registered trademarks of RiskSense, Inc. Spotlight_Adobe_20190411
RiskSense – the industry’s most comprehensive risk-based vulnerability management and prioritization platform.
Contact us today to learn more about RiskSenseRiskSense, Inc. | +1 844.234.RISK | +1 505.217.9422 | risksense.com
SCHEDULE A DEMOCONTACT US READ OUR BLOG
RiskSense®, Inc. provides vulnerability management and prioritization to measure and control cybersecurity risk. The cloud-based RiskSense platform uses a foundation of risk-based scoring, analytics, and technology-accelerated pen testing to identify critical security weaknesses with corresponding remediation action plans, dramatically improving security and IT team efficiency and effectiveness. For more information, visit www.risksense.com or follow us on Twitter at @RiskSense.
About RiskSense