Both Microsoft and Google are giant technology companies. For many reasons, if they have vulnerabilities on their products, they will certainly disrupt enterprise services and systems.
According to cybersecurity company Tenable, the most prevalent vulnerabilities which have been assigned a CVE score and number based on update and severity metrics, have the potential to impact between 20 and 30 percent of all enterprises if they are left unpatched or unresolved.
At the company's 'Vulnerability Intelligence Report', Tenable claims that Microsoft .Net and Office, Adobe Flash, and Oracle's Java have the most widespread impact for enterprise assets. In total, half of vulnerability-based enterprise threats are caused by problems with Adobe Flash, whereas 20 percent of vulnerabilities belong to Microsoft Office.
When it comes to individual vulnerability with the most impact and severity, Tenable pinpoints to one particular security flaw in Microsoft apps, the CVE-2018-8202, which is believed to have the potential to impact 32 percent of enterprises.
The second top spot on Tenable's list is Google with its Chrome browser.
The CVE-2018-6153 is the vulnerability caused by a stack-based buffer overflow issue coming from improper bounds checking by Skia. If an attacker is able to trick a victim into opening a specifically-designed website, the overflow bug can be triggered, allowing the attacker to execute arbitrary code or to cause the victim's system to crash.
Tenable estimates that 30 percent of enterprise systems could be impacted by this bug.
Third place is the CVE-2015-6136. The vulnerability in Microsoft Internet Explorer was first discovered back in 2015. It was estimated that the scripting engine memory corruption vulnerability could potentially impact 28 percent of enterprises, and was described as a flaw which permits the remote execution of code via a specially-designed website.
The fourth vulnerability believed to have the most impact on the enterprise is the CVE-2018-2938, a bug in a component in Oracle's Java which can be used to gain elevated privileges. According to Tenable, this security flaw woulc impact up to 28 percent of enterprises.
The fifth vulnerability is on Microsoft apps. CVE-2018-1039 in the .NET framework allows attackers to bypass device guard functionality. This security flaw is believed to have the potential to impact up to 28 percent of businesses.
The remaining 15 vulnerabilities and security problems in which some contain CVE and others don't, that are also potential in disrupting enterprises, have also been described by Tenable as listed below:
- 6: No CVE, SSL, 27 percent: SSL 2.0 and/or SSL 3.0 are impacted by cryptographic flaws including an insecure padding scheme.
- CVE-2018-6130, Google Chrome, 26 percent: An out-of-bounds memory access issue in WebRTC.
- CVE-2018-8242, Microsoft IE, 26 percent: A remote code execution vulnerability which exists in the way that the scripting engine handles objects in memory in Internet Explorer.
- CVE-2017-8517, Microsoft IE, 25 percent: The failure of JavaScript engines to handle objects in memory properly in Microsoft browsers allows attacks to execute arbitrary code.
- CVE-2018-5007, Adobe Flash Player, 25 percent: A type confusion vulnerability exists in versions 30.0.0.113 and earlier, which can lead to the execution of arbitrary code.
- CVE-2018-8249, CVE-2018-0978, Microsoft IE, 24 percent: A vulnerability which leads to remote code execution in IE due to improper object access.
- CVE-2018-8310, Microsoft apps, 23 percent: A vulnerability exists when Microsoft Outlook doesn't properly handle specific attachment types when rendering HTML emails. The bug impacts Microsoft Word and Microsoft Office.
- CVE-2018-5002, Adobe Flash Player, 23 percent: Impacting versions of the software 29.0.0.171 and earlier, this vulnerability is a stack buffer overflow problem which can lead to the execution of arbitrary code.
- CVE-2018-8178, Microsoft, 23 percent: A remote code execution vulnerability in Microsoft browsers.
- CVE-2018-2814, Oracle Java, 23 percent: A bug in the Java SE embedded component of Oracle Java SE can result in a complete takeover by attackers.
- CVE-2018-5008, Adobe Flash Player, 23 percent: Affecting versions 30.0.0.113 and earlier, the read security vulnerability can lead to information disclosure.
- CVE-2017-11215, Adobe Flash Player, 22 percent: Versions 27.0.0.183 and earlier are affected by a use-after-free bug in the Primetime SDK which could lead to code corruption, control-flow hijack or an information leak.
- No CVE assigned, Mozilla, 22 percent: Legacy Mozilla applications, such outdated versions of Firefox, Thunderbird and SeaMonkey, may contain vulnerabilities as no more security updates are available.
- CVE-2015-0008, Microsoft, 22 percent: An untrusted search path vulnerability in the MFC library in Microsoft Visual Studio .NET can be exploited by attackers to gain local privileges.
- CVE-2018-4944, Adobe Flash, 22 percent: Adobe Flash versions 29.0.0.140 and earlier contain a bug that can be exploited for execution of arbitrary code.
"Vendors such as Microsoft, Adobe, and Oracle have a comparatively low amount of distinct vulnerabilities, but affect a large number of enterprises and assets," Tenable said.
"These represent a global risk, as they affect a large number of enterprises and assets worldwide."