Understanding Exploit Kits’ Most Popular Vulnerabilities

Michael Marriott | 13 September 2016

One significant aspect of mitigating the risk posed by exploit kits is keeping software up-to-date. However, for some organizations, knowing what to patch as a priority can be difficult. Our latest whitepaper helps organizations to understand what vulnerabilities are most frequently targeted and helps them to prioritize their patching processes. 

In order to assess the popularity of vulnerabilities (and in turn help organizations to prioritize their patching processes), it is possible to look at both the vulnerabilities that the exploit kits exploit, as well as how many times the vulnerabilities were mentioned alongside the exploit kits.


The vulnerability that had been implemented into the most exploit kits was shown to be CVE-2013-2551, which was a Microsoft Internet Explorer vulnerability affecting versions 6 through to 10. It allowed remote attackers to execute arbitrary code via a crafted website. The likely reason for this vulnerability being so widely exploited was that a proof of concept (POC) exploit had been made publicly available in May 2013, after it had been exploited at a prominent security conference the same year. The top 20 vulnerability findings are illustrated in Figure 1.

Exploit Kits and Vulnerabilities

Figure 1 - A graph showing the number of exploit kits exploiting a given vulnerabilities

 

 Exploit Kit Vulnerabilities Descriptions

Figure 2 - Top 7 CVE numbers and description

 

Using a list of exploit kit names and searching the vulnerabilities researched in the report alongside them, it was possible to supplement the above findings. We used mentions of CVEs and exploit kits sourced from the dark web, including criminal forums, .onion and I2P domains, security researcher blogs and security vendor blog pages as part of this research. Figure 3 shows a strong correlation between how many exploit kits have exploited a vulnerability, and how frequently these are mentioned alongside each other.

Exploit Kit Vulnerabilities and Mentions 

Figure 3 - Comparison of top 10 vulnerabilities based on CVE mentions and exploit kits exploiting them

While these vulnerabilities are shown to be common across exploit kits, this is not exhaustive and will likely change in the future. Nevertheless, organizations can learn which vulnerabilities should definitely be patched as a priority. You can read more about the most popular exploit kits and the vulnerabilities they exploit in or white paper ‘In the business of exploitation’.