2014 saw the release of a number of critical vulnerabilities that caused media storms and left script kiddies on the edge of their seats in anticipation of public exploits.
These high impact vulnerabilities included, but were not limited to:
- Heartbleed CVE-2014-0160
- Various ShellShocks CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278
- POODLE CVE-2014-3566
Some of the most interesting vulnerabilities were Microsoft specific:
- MS14-064 vulnerabilities in Windows OLE Could Allow Remote Code Execution
- MS14-066 Vulnerability is Schannel Could Allow Remote Code Execution
- MS14-067 Vulnerability in XML Core Services could Allow Remote Code Execution
- MS14-068 Vulnerability in Kerberos Could Allow Elevation of Privilege
Of these major vulnerabilities, Heartbleed, Shellshock, MS14-064 and MS14-068, now all have publicly-available, weaponized exploits. This makes it significantly easier for an attacker to dominate an insecure network environment. At the moment, unpatched MS14-068 presents a huge security hole for corporate Windows Domains. An attacker who is able to successfully exploit this vulnerability may request a Kerberos certificate with Domain Admin rights; all that is required is a valid domain username and password combination.
Not all critical vulnerabilities were new this past year. MS08-067 still looms large, seven years after its release. Our Attack Team was able to leverage this finding in additional, elevated access on a number of engagements this year.
I know I’m beating a dead horse, but you should definitely…
As we witnessed in 2014, the next big breach is always just around the corner. Regular, proactive patching helps to remove some of the low hanging fruit from your organization’s attack surface. Make the hackers work for it!
As we move into the new year, expect to see more breaches and more vulnerabilities to be released.