The number of macOS vulnerabilities exploited in 2023 increased by more than 30%, according to a new report. Patch management software company Action1's 2024 Software Vulnerability Rating Report also found that Microsoft Office programs are becoming more exploitable, while attackers are targeting load balancers like NGINX and Citrix at a record pace. .
Action1 analysts used data from the National Vulnerability Database and CVEdetails.com to extract five insights into how the threat landscape changed from 2022 to 2023. NVD maintenance has slowed significantly since February as the National Institute Standards and Technology is trying to address a backlog of software and hardware failures. NIST said the slowdown was the result of “an increase in software and therefore vulnerabilities, as well as a shift in interagency support.”
1. macOS and iOS are becoming more objective
The report found that the exploitation rates experienced by macOS and iOS increased by 7% and 8% between 2022 and 2023, suggesting that they are increasingly being targeted by bad actors.
The exploitation rate is defined as the ratio of exploited vulnerabilities to the total number of vulnerabilities and provides a measure of the susceptibility of software to exploitation. In contrast, exploit rates for Windows desktop operating systems remained stable at 4%, demonstrating how Microsoft has a stable vulnerability management process.
Although the total number of identified macOS vulnerabilities decreased by 29% in 2023, 18 exploited vulnerabilities were reported, an increase of more than 30% from the previous year.
As far as mobile operating systems are concerned, iOS's 8% exploit rate was clearly higher than Android's 0.2%. This shows that even though Android devices had more reported vulnerabilities in total, threat actors were focusing their efforts on exploiting iPhones.
iOS also suffered the most remote code exploitation attacks of all mobile operating systems analyzed during 2021, 2022, and 2023. An app with a higher RCE count may have more potential entry points for attackers to exploit. The report's authors say the specific nature of iPhones is possibly due to the perception of the valuable data they store.
“The increase in exploited vulnerabilities for MacOS and iOS is a worrying trend for Apple,” the analysts wrote. “For some reason, the company fails to fix vulnerabilities before attackers exploit them.
“For organizations, this means they should not only ensure regular updates for the Apple operating system, but also consider implementing additional security measures for Mac devices.”
2. Load balancers have a record exploit rate
NGINX and Citrix load balancers had very high exploitation rates in 2023: 100% and 57%, respectively. Although load balancer vulnerabilities represent only 0.2% of the total number of vulnerabilities between 2021 and 2023, exploitation rates are significant due to the potential impact that a successful exploitation can have.
Attackers can gain the ability to intercept, modify, and redirect network traffic, thereby accessing sensitive data and disrupting services. Compromised load balancers can also serve as entry points to launch further attacks within the network.
SEE: Around 2,000 Citrix NetScalers were compromised in massive attack campaigns
For example, the 2023 CitrixBleed zero-day vulnerability allowed attackers to send a large HTTP GET request to a NetScaler ADC or Citrix Gateway, resulting in a buffer overflow and adjacent memory leak. The U.S. Cybersecurity and Infrastructure Security Agency warned more than 300 companies about their exposure, and telecommunications company Xfinity said the sensitive information of 36 million customers was stolen through CitrixBleed attacks.
The report's authors wrote: “For organizations, this means they need to pay close attention to ensuring regular Citrix load balancer updates or look for alternatives, taking into account business needs.”
3. Microsoft SQL Server RCE vulnerabilities increase
In 2023, 17 vulnerabilities were identified in Microsoft SQL Server, which represents an increase of 1,600% compared to previous years. Each was an FTR, demonstrating its worrying number of entry points. The increase suggests that attackers are becoming faster at discovering and exploiting unknown CERs, and that there may be more undiscovered vulnerabilities in Microsoft SQL.
The report's authors wrote: “MSSQL is a lucrative target for hackers due to its widespread use in enterprise environments, hosting valuable data such as customer information and financial records. Its remote accessibility makes it susceptible to exploitation from anywhere.
“Accordingly, organizations should prioritize strong security measures to safeguard their MSSQL servers and prevent potential data breaches.”
SEE: Microsoft security vulnerabilities decreased by 5% in 2023, according to a BeyondTrust report
4. Microsoft Office attacked due to likelihood of human error
Microsoft Office has the highest total number of vulnerabilities among all Office applications. About 80% of its vulnerabilities are considered critical each year, and 40 to 50% of them are ROEs. Furthermore, its exploitation rate increased by 5% in 2023.
Attackers consider Office applications to be more easily exploitable than other software because they are user-oriented and therefore prone to human error. Common user interactions, such as opening documents, enabling macros, and clicking embedded links, can be used as part of phishing attacks.
SEE: Follina abuses Microsoft Office to execute remote code
Microsoft Office, in particular, is widely used and therefore presents the best opportunity for a successful attack of this nature, as users recognize and trust it. The authors wrote that we can expect more phishing attacks aimed at exploiting MS Office vulnerabilities.
They wrote: “This underscores the need for CISOs to enforce security awareness among employees and improve endpoint monitoring with endpoint protection systems in addition to robust patching.”
5. Microsoft Edge sees an increase in RCE and vulnerabilities
Edge experienced the highest total number of RCE vulnerabilities among major web browsers over the past three years, with 14. The number grew 500% from 2021 to 2022, and then 17% from 2022 to 2023. They accounted for 10% of all those reported. vulnerabilities, while only 1% of vulnerabilities in Chrome and Firefox were RCE.
SEE: Microsoft Edge cheat sheet
Additionally, Edge had a vulnerability exploitation rate of 7% in 2023 (up from 5% in 2022), while Chrome and Firefox had around 2% and 3%, respectively. While Edge actually had the fewest reported vulnerabilities of the three browsers in 2022 and 2023, its exploitation is proving to be the most lucrative for attackers.
The report's authors explained: “The fact that Edge is facing an increase in RCE and exploited vulnerabilities, despite having a relatively low number of total vulnerabilities, suggests that Microsoft is not yet actively enforcing a vulnerability management program for this web browser. as rigorously as Google does. for Chrome or Mozilla it does it for Firefox.
“This implies that it may not be a good idea to use Edge as the main corporate web browser.”