The number of macOS vulnerabilities exploited in 2023 increased by more than 30%, according to a new report. The Software Vulnerability Ratings Report 2024 from patch management software company Action1 also found that Microsoft Office programs are becoming more exploitable, while attackers are targeting load balancers like NGINX and Citrix at a record rate.
Action1 analysts used data from the National Vulnerability Database and CVEdetails.com to draw five insights into how the threat landscape changed from 2022 to 2023. Maintenance of the NVD has slowed significantly since February as the National Institute of Standards and Technology tries to cope with a backlog of software and hardware flaws being submitted. NIST said the slowdown was the result of “an increase in software and, therefore, vulnerabilities, as well as a change in interagency support.”
The report found the exploitation rates macOS and iOS experienced increased by 7% and 8% from 2022 to 2023, suggesting they are being increasingly targeted by bad actors.
The exploitation rate is defined as the ratio of exploited vulnerabilities to the total number of vulnerabilities, and provides a measure of the software’s susceptibility to exploitation. In contrast, the exploitation rates of Windows desktop operating systems remained stable at 4%, showing how Microsoft has a stable vulnerability management process.
Despite the total number of macOS vulnerabilities identified decreasing by 29% in 2023, 18 exploited vulnerabilities were reported, marking a more than 30% increase from the year before.
When it comes to mobile operating systems, the exploitation rate of 8% for iOS was significantly higher than Android’s 0.2%. This shows that, despite the fact that Android devices had more vulnerabilities reported in total, threat actors were focusing their efforts on exploiting iPhones.
iOS also suffered the highest number of remote code exploitation attacks of all mobile operating systems analysed over 2021, 2022 and 2023. An application with an increased RCE count may have more potential entry points for attackers to exploit. The report authors say the targeted nature of iPhones is possibly due to the perception of the valuable data they store.
“The increase in exploited vulnerabilities for MacOS and iOS is a concerning trend for Apple,” the analysts wrote. “For some reason, the company is not managing to fix vulnerabilities before attackers exploit them.
“For organisations, this means they should not only ensure regular updates for Apple OS but also consider implementing additional security measures for Mac devices.”
Load balancers NGINX and Citrix both had very high exploitation rates in 2023 — 100% and 57%, respectively. Despite load balancer vulnerabilities making up only 0.2% of the total number of vulnerabilities from 2021 to 2023, the exploitation rates are significant because of the potential impact a successful exploitation can have.
Attackers can gain the ability to intercept, modify and redirect network traffic, thereby accessing sensitive data and disrupting services. Compromised load balancers can also serve as entry points for launching further attacks within the network.
SEE: About 2000 Citrix NetScalers Were Compromised in Massive Attack Campaigns
For example, the 2023 CitrixBleed zero-day vulnerability allowed attackers to send a large HTTP GET request to a NetScaler ADC or Citrix Gateway, resulting in a buffer overflow and the adjacent memory leaking. More than 300 companies were warned about their exposure by the U.S.’s Cybersecurity and Infrastructure Security Agency, and telecommunications company Xfinity said 36 million customers’ sensitive information was stolen through CitrixBleed attacks.
The report’s authors wrote: “For organisations, this means they need to pay close attention to ensuring regular updates for the Citrix load balancer or look for alternatives, considering the company’s needs.”
In 2023, 17 vulnerabilities were identified in Microsoft SQL Server, marking a 1,600% increase compared to the previous years. Each one was an RCE, demonstrating its concerning number of entry points. The spike suggests that attackers are getting faster at discovering and exploiting unknown RCEs, and that more undiscovered vulnerabilities might remain in Microsoft SQL.
The report’s authors wrote: “MSSQL is a lucrative target for hackers due to its widespread use in enterprise environments, housing valuable data like customer information and financial records. Its remote accessibility makes it susceptible to exploitation from anywhere.
“Consequently, organisations must prioritise robust security measures to safeguard their MSSQL servers and prevent potential data breaches.”
SEE: Microsoft Security Vulnerabilities Decreased by 5% in 2023, According to a BeyondTrust report
Microsoft Office has the highest total number of vulnerabilities among all office apps. Around 80% of its vulnerabilities are deemed critical each year, and between 40 and 50% of them are RCEs. Furthermore, its exploitation rate increased by 5% in 2023.
Attackers view office apps as more easily exploitable than other software because they are user-facing and therefore prone to human error. Common user interactions like opening documents, enabling macros and clicking on embedded links can be utilised as part of phishing attacks.
SEE: Follina abuses Microsoft Office to execute remote code
Microsoft Office, in particular, is widely used and so presents the best opportunity for a successful attack of this nature, as it is recognised and trusted by users. The authors wrote that we can expect more phishing attacks aimed at exploiting MS Office vulnerabilities.
They wrote: “This underscores the need for CISOs to enforce security awareness among employees and enhance endpoint monitoring with endpoint protection systems, in addition to robust patching.”
Edge saw the highest number of total RCE vulnerabilities among major web browsers in the last three years, with 14. The number grew by 500% from 2021 to 2022, and then 17% from 2022 to 2023. They accounted for 10% of all reported vulnerabilities, while just 1% of vulnerabilities in Chrome and Firefox were RCEs.
SEE: Microsoft Edge cheat sheet
In addition, Edge had a 7% vulnerability exploitation rate in 2023 — an increase from 2022’s 5% — while Chrome and Firefox had about 2% and 3%, respectively. While Edge actually had the lowest number of reported vulnerabilities of the three browsers in 2022 and 2023, their exploitation is proving the most lucrative for attackers.
The report authors explained: ”The fact that Edge faces an increase in RCE and exploited vulnerabilities, despite having a relatively low number of total vulnerabilities, suggests that Microsoft does not yet actively enforce a vulnerability management program for this web browser as rigorously as Google does for Chrome or Mozilla does for Firefox.
“This implies that it might not be a good idea to use Edge as the main corporate web browser.”