This was the second successive year that Microsoft topped this list, the firm's Kathleen Kuczma said in a blog post, pointing out that the Redmond behemoth had been affected by seven out of the top ten vulnerabilities in 2017.
In the previous two years, 2015 and 2016, the majority of vulnerabilities targeted Adobe's Flash Player. In 2018, only one Flash vulnerability was in the top 10 and the remaining one in the top 10 was aimed at Android.
As with the 2017 report, vulnerabilities changed from year to year, with the most exploited one which targeted Microsoft Office, moving to fifth place in 2018. Exploits used by nation states were not included in the study.
A list of 167 exploit kits was used as one of the parameters to determine the top referenced and exploited vulnerabilities of 2018.
This year, Recorded Future also looked at remote access trojans and found that 35 new ones were released in 2018, 12 less than in 2017. Only one, which had the moniker Sisfader, was tied to a top vulnerability, an exploit for Microsoft Office.
An exploit kit known as ThreadKit was notable for the number of mentions it had received on the dark web, Kuczma noted. ThreadKit contained four of the top ten vulnerabilities as of the end of 2018 and was selling for US$400.
Kuczma offered the following tips for those who wanted to avoid being hit by Windows vulnerabilities to the extent possible:
- Prioritise patching of all the vulnerabilities identified in this post.
- Do not forget to patch older vulnerabilities – the average vulnerability stays alive for nearly seven years.
- Remove the affected software if it does not impact key business processes.
- Consider Google Chrome as a primary browser.
- While Flash Player is going away and more sites increasing have removed this technology from its site, continue to heed caution with websites that don’t.
- Use browser ad-blockers to prevent exploitation via malvertising.
- Frequently back up systems, particularly those with shared files, which are regular ransomware targets.
- Users and organisations should conduct or maintain phishing security awareness to mitigate attacks.
- Companies should deliver user training to encourage scepticism of emails requesting additional information or prompting clicks on any links or attachments. Companies will not generally ask customers for personal or financial data, but when in doubt, contact the company directly by phone and confirm if they actually need the information.