Small Business Software Vulnerabilities Hackers Love

For many small and medium-sized enterprises, it's not until after a breach has occurred that cybersecurity becomes a priority.

An effective approach to system security must be proactive and defensive. Failure to take a proactive approach to software and web security can have catastrophic consequences.

In 2017, for instance, the virulent WannaCry ransomware attack wreaked havoc on many "unprepared" companies, taking advantage of vulnerabilities in the Windows operating system to take control of hundreds of thousands of computers worldwide.

Part of protecting your business against modern cybersecurity threats is being aware of the software vulnerabilities that hackers love to exploit. In this post, we'll examine the small business software vulnerabilities to watch out for.

But before we dig into software vulnerability examples, it's important to define what a software vulnerability is.

What Is a Vulnerability in Computer Security?

In computer security, a vulnerability refers to a flaw or weakness in a computer system, internal controls, security procedures, or design and implementation, which could be exploited to cause damage or enable an attacker to gain access to a system.

After exploiting a vulnerability, an attacker can install malware, run malicious code, and even steal a company's sensitive data.

Vulnerabilities can be exploited in a number of ways, including SQL injection, cross-site scripting (XSS), buffer overflows, and open-source exploit kits that look for flaws and weaknesses in web applications.

There are many different types of vulnerabilities, classified based on the infrastructure they're found on. These include:

• Software vulnerabilities
• Hardware vulnerabilities
• Network vulnerabilities
• Personnel vulnerabilities
• Organizational vulnerabilities
• Physical site vulnerabilities

In the guide, we'll focus on software vulnerabilities.

Small Business Software Vulnerabilities Hackers Love

Software vulnerabilities are defects in software that could allow a hacker to gain control of a system. Analysis by researchers at Recorded Future found that the majority of exploited vulnerabilities in 2018 targeted Microsoft.

The study revealed that 8 out of 10 vulnerabilities targeted Microsoft products because they are ubiquitously deployed. Attackers are also increasingly exploiting vulnerabilities in Google, Adobe, and Cisco products. Let's briefly go over these software vulnerabilities.

You'll see the acronym "CVE" used in the vulnerability names.

CVE stands for "Common Vulnerabilities and Exposure" and is the industry standard for naming these vulnerabilities.

1. Microsoft Vulnerabilities

Microsoft vulnerabilities are pervasive and target some of its products, including Internet Explorer, Microsoft Office, Windows Server, and more.

CVE-2020-0601

A vulnerability has been discovered that affects how Windows CryptoAPI verifies Elliptic Curve Cryptography (ECC) certificates.

As reported by the NSA in 2020, this vulnerability affects how cryptographic certificates are validated by one of the cryptography libraries in Windows that constitute a part of the CryptoAPI system.

This vulnerability affects all machines running Windows 10 operating systems, including Windows Server versions 2016 and 2019. Hackers could take advantage of this security flaw by using a spoofed code-signing certificate to validate a malicious file, making it appear as if the file is from a trusted source.

CVE-2021-36934

This Microsoft vulnerability, also called HiveNightMare or SeriousSAM, allows attackers to retrieve all registry hives in Windows 10 and 11 systems.

The vulnerability grants non-admin users permission to read files on key registry hives. Once hackers have retrieved the credentials, they use a method known as "pass the hash" to authenticate a remote server with hashed credentials instead of a password.

An attacker who successfully exploits this vulnerability can run arbitrary code with SYSTEM privileges. Since they have full control of the system, they can run commands and even create new users who are a part of the attacker's squad.

CVE-2021-40444

Reported in 2021, this Microsoft vulnerability allows attackers to remotely run arbitrary codes on victims' machines via ActiveX control, often orchestrated through spear-phishing.

This attack, which is based on Microsoft MSHTML Vulnerability, allows a bad actor to craft a malicious ActiveX control to be used on Office documents. The attacker then lures the victim to open the malicious document through phishing or social engineering tactics.

Once a code is executed, the attacker can perform malicious activities, such as running commands remotely and more.

CVE-2020-0609 and CVE-2020-0610

These software vulnerabilities affect Windows Server 2012 and newer versions. When exploited in the RD Gateway Server and Windows Remote Desktop Client, these vulnerabilities allow for remote code execution.

The server vulnerabilities don't require authentication and can easily be exploited via a specially crafted request, such as luring a user into connecting to a malicious server. Find out more about how to protect your Office 365 instance here. 

2. Google Vulnerabilities

Multiple vulnerabilities have been discovered in Google Chrome and applications built using Google's Chromium V8 Engine that could allow for arbitrary code execution. These applications are the target of the following vulnerabilities.

CVE-2022-2477

This vulnerability, classified as critical, has been found in Chromium and its derivatives. A vulnerability in Google Chrome allowed attackers to remotely execute an arbitrary code on the system caused by a use-after-free in Guest view.

By luring a victim into visiting a specially crafted website, a remote attacker could exploit this vulnerability to execute an arbitrary code or a DDoS attack. A 2022 Chrome update has fixed this vulnerability, but those using old versions are not safe.

CVE-2022-2479

CVE-2022-2479 is a unique identifier tied to a security vulnerability in Google Chrome prior to 103.0.5060.134. This vulnerability, dubbed insufficient validation of untrusted input files, allowed an attacker who tricked a user into installing a malicious file to acquire sensitive information from internal file directories via a crafted HTML page.

CVE-2022-2163

The CVE-2022-2163 is a disclosure identifier for a security vulnerability in Google Chrome's cast UI and Toolbar. Currently rated as "high severity" by Chrome's CVE admin, this vulnerability allows an attacker to install a malicious file to exploit heap corruption through UI interaction.

3. Adobe Vulnerabilities

Adobe is widely used globally to create, edit, and share documents and photos online. It makes it easy to create and share documents across platforms and operating systems. However, the platform is not without risks.

Multiple vulnerabilities have been discovered in Adobe products, some of which could allow for arbitrary code execution. Here's a rundown of the most severe vulnerabilities in Adobe.

CVE-2022-24093

Certain Adobe products are vulnerable to potential information disclosure, denial of service, or remote code execution.

CVE-2022-24093 is the unique identifier for publicly known vulnerabilities in Adobe products, particularly in Adobe Photoshop. This vulnerability allows attackers to execute arbitrary code on the system through improper input validation. An attacker could exploit this vulnerability, using a specially-crafted request to execute arbitrary code on the product.

CVE-2022-28274

A vulnerability identified as CVE-2022-28274 has been found in Adobe Photoshop version 23.2.2 (and earlier). These older versions of Photoshop are affected by an out-of-bounds read vulnerability when processing crafted files, which causes the system to read data from memory outside of the bounds it's allowed to access.

Attackers could exploit this vulnerability to execute an arbitrary code in the context of the current user. Exploiting this vulnerability requires the attacker to trick the user into opening a malicious file.

CVE-2022-35697

A vulnerability identified as CVE-2022-35697 has been found in Adobe Experience Manager Core Components versions 2.20.6 and earlier. This cross-site scripting (XSS) vulnerability allows attackers to compromise users' interactions with Adobe products.

If an attacker can trick a user into visiting a URL referencing a malicious page, they may be able to execute malicious JavaScript content in the victim's browser.

CVE-2022-24098

Adobe Photoshop version 23.2.2 is affected by an improper input validation flaw when opening PCX files. Similar to the CVE-2022-28274 vulnerability, exploiting this vulnerability requires the attacker to trick the victim into opening a malicious file.

4. CISCO Vulnerabilities

Vulnerabilities exist in Cisco firewall products that could lead to potential data breaches. These vulnerabilities impact ASA-X enterprise-grade firewalls, CISCO Adaptive Security Software, and Adaptive Security Device Manager (ASDM) GUI for remote operations.

CVE-2021-1585

This vulnerability allows an attacker to execute an arbitrary Java code on an ASDM admin system via a launcher. Cisco discovered it in July 2021, but a patch was not released until June 2022. However, it has been shown that the vulnerability still exists even after the update.

CVE-2022-20828

This remote vulnerability allows attackers to achieve root access on ASA-X with FirePower services using a FirePower module. Because the FirePower module is fully networked, allowing access to both inside and outside of ASA, it makes it resourceful for hackers to stage their attacks.

CVE-2022-20829

Attackers exploit this vulnerability because Cisco's ASDM binary package lacks a cryptographic signature to verify authenticity. Because of this, a malicious ASDM package installed on a Cisco ASA could cause arbitrary code execution on any client connected to it.

Wrapping Up

These are some of the software vulnerabilities that subject small businesses to security risks. How do you keep your business safe from these vulnerabilities? One way is to ensure your software and business tools are updated regularly. 

Updates can prevent security issues and improve the end-user experience. They contain bug fixes and product enhancements that allow you to innovate and stay ahead of the competition. When you ignore updates on your computer, you leave your network open to attacks. Of course, this is only one layer of cybersecurity protection. There are other practices your business might need to implement to keep your company and your data as safe as possible. You can download our Cybersecurity Checklist to get an idea of what you're missing.

If you need help determining if your business is vulnerable to these types of cyber threats, reach out today for a free, no-pressure consultation. We'll help you find the gaps and plug the holes.