Studies Provide Insights into Vulnerability Exploitation and the Best Patching Policies

If you want to prevent threat actors from exploiting vulnerabilities and gaining access to your network, you need to make sure you patch promptly, but that is much easier said than done. You could work full time patching flaws, but you still may never get everything fully patched and up to date, so it is necessary to prioritize and ensure that the vulnerabilities most likely to be exploited are addressed. But how should you prioritize patching?

The recently published Verizon 2021 Data Breach Investigations Report (DBIR) shows the most commonly exploited vulnerabilities are rather old. Based on honeypot data, attackers continue to exploit old vulnerabilities, with the Eternal Blue exploit one of the most commonly attempted. Rather than the age of a vulnerability being a factor, it is more the ease of exploitation and what exploiting a vulnerability will allow a threat actor to do. 91% of the vulnerabilities exploited were from 2017, with attempts then tailing off for older vulnerabilities.

“The ideal state for any organization is to patch smarter, not harder, by using vulnerability prioritization not necessarily to improve security, but to improve the organization’s productivity. Every patch that has to be applied means you are that much farther from putting down the keyboard and picking up the d-pad,” explained Verizon in the DBIR. “Anything you can do to avoid patching vulnerabilities that do not improve your security keeps you just as secure but involves much less work (and less chance of burnout from your employees or service providers).”

At this week’s RSA Conference 2021, Trend Micro Senior Researcher Mayra Rosario Fuentes gave a presentation – Live Deeper Dive: Tales from the Underground: The Vulnerability Weaponization Lifecycle – that provided great insights into the exploit market and which vulnerabilities are popular and selling for big bucks on underground forums.

Based on a year-long investigation, the Trend Micro researchers found exploits for critical vulnerabilities in Microsoft products were the most sought after and accounted for 47% of requests and 61% of exploits sold exploited flaws in Microsoft products. There may be critical vulnerabilities in IoT devices, yet only 5% of requests for exploits were for those vulnerabilities. Out of the Microsoft exploits sold, 52% were for Word/Excel, 24% for Windows, 16% for Internet Explorer, and 8% for Remote Desktop.

The study revealed exploits for new vulnerabilities were in demand, with 52% of requests for exploits being vulnerabilities less than 2 years old. These newer vulnerabilities accounted for 54% of exploits sold, but 22% of sold exploits were for vulnerabilities more than 3 years old, with the older vulnerabilities mostly for Microsoft products (45%) and Adobe (21%)

These two reports highlight the importance of prioritizing patching, not just patching based on the severity of the flaw but also taking into consideration the desirability of an exploit. Fuentes explained that “You can’t possibly patch all the CVEs each year,” so prioritization is key. She suggests you should “Focus on what hackers like to focus on: Microsoft and Adobe,” and take advantage of virtual patching to buy time until the patches can be applied.

She also pointed out that over time, the cost of exploits drops as there are fewer targets to attack, but some exploits retain their value longer than others, so “Patching yesterday’s popular vulnerability can be more important than today’s critical one.” That doesn’t mean you should ignore today’s critical vulnerabilities, only that you should prioritize patching carefully to make sure that the vulnerabilities most likely to be exploited are addressed first.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of