Report: Microsoft Bugs 'Most Exploited' by Hackers

John Lister's picture

According to a recent report, Microsoft products made up eight of the ten most exploited software bugs last year according to a security company. That's higher than in recent years, largely because Adobe Flash is becoming a less rewarding target for hackers as it loses popularity.

As recently as 2015, most of the top ten involved bugs with Flash. Microsoft took the unwanted lead in 2017 with seven entries on the list. (Source: bleepingcomputer.com)

Internet Explorer Tops The List

The top spot for 2018 went to a bug in the Windows VBScript engine. That's a tool that handles code designed for web pages running on Internet Explorer. While Internet Explorer has lost popularity in recent years, the bug was likely attractive to hackers because it allowed remote code execution.

In simple terms, the bug meant victims simply visiting a booby-trapped page would be enough to give the hackers the ability to upload and execute malicious programs (malware) on the users' computer. This would then allow cyber criminals access to spy on PCs remotely, including stealing financial information or even activating web cameras remotely.

The top 10 list was based around how widely exploited a bug was, rather than how many computers were made vulnerable by it.

"Recorded Future," the company behind the list, said this meant some of the highest profile bugs such as Spectre and Meltdown (which affected every computer processor made since 1995) were absent from the top 10. It appears those bugs were mainly used by a small but significant group of hackers, including those working on behalf of governments. (Source: theregister.co.uk)

Instead, the list was based largely on popular exploit kits. These are effectively a package of "tools of the trade" for cyber criminals, allowing them to easily take advantage of numerous bugs in operating systems or programs (for example), rather than have to develop or learn ways to exploit each one individually.

Microsoft Debate Continues

One of the more notable bugs in the list was another Internet Explorer vulnerability. It's notable as it's now been in the list for three straight years. It's particularly worrying as it has "no mitigating factors."

Overall the list included three Internet Explorer bugs, five from Microsoft Office, one from Adobe Flash and one from Google's Android system.

Such lists always spark debate in the tech industry because it's often disagreed as to why certain products and services 'make the cut', while others don't. Some argue that Microsoft software is "inherently less secure" than rival products. Others argue that it's more likely hackers put more effort into targeting Microsoft because the audience of potential victims is so high.

What's Your Opinion?

Are you surprised by this list? Do you think Microsoft products are more prone to security flaws? Or is it simply an inevitable result of the numbers game?

Rate this article: 
Average: 5 (6 votes)

Comments

Dennis Faas's picture

The fact of the matter is that MS Windows dominates the market, and more people have machines running MS Windows. As such, hackers will simply go where there is a greater chance of being successful and profitable. To argue that MS products are "inherently less secure" is a bunch of baloney. That may have been true back in Windows XP days, but it's certainly not the case anymore. If Mac or Linux were as popular as MS Windows and had as much of a user base, you would have the same issues.

jcgrande's picture

I agree with you, Dennis, The hackers will always go where they get the biggest bang for their buck. They’re not going to waste their time and money going after some software that only has a few thousand subscribers

kitekrazy's picture

Can I get a duh! on this? It's the largest platform out there.

JimBo's picture

How does the new Microsoft Edge figure into the mix. Is it being positioned to replace Internet Explorer? So, as a replacement, wouldn't it wipe the slate clean as far as reported vulnerabilities against I.E.?

Is Edge a rewrite of I.E. or is it just the same old code with some new enhancements and a bit of re-packaging?