Vulnerability Management

Sponsored Video: Greg Fitzgerald of Fortinet on data management

Fortinet's Greg Fitzgerald discusses major vulnerabilities, data management, and privacy and compliance issues in the industry at this year's RSA Conference 2012 in San Francisco.

An educated decision: Network smarts at WVU

An educated decision: Network smarts at WVU

By

West Virginia University was looking to protect student and staff data. It found a software solution to assist in the process, reports Greg Masters.

A look at vulnerability assessment tools

A look at vulnerability assessment tools

By

If one wants to address a vulnerability, one needs to add vulnerability management.

New Java exploit one of many impacting firms

By

A new exploit, which has made its way into the Metasploit framework, underscores the danger posed by Java vulnerabilities, which are responsible for many of today's enterprise malware threats.

Best Vulnerability Management & Best Web Application Firewall

By

Throughout the day, SC Magazine will be announcing the finalists from each of its 32 award categories, covering the Reader Trust, Professional and Excellence sections.

Adobe releases critical Shockwave Player security update

By

The flaws corrected by an Adobe Shockwave Player update could allow an attacker to run malicious code on an affected system.

Recent attacks cost Energy Department at least $2M

By

The attacks, which occurred at four department locations, were not described in detail, but were deemed "successful" for adversaries, according to the annual audit.

Vulnerability management: Identifying network vulnerabilities

Vulnerability management: Identifying network vulnerabilities

By

Web applications are a major cause of network breaches, and new attacks are continually occurring just out of view. While a two-factor authentication approach can reduce vulnerabilities, this system alone will not eliminate the problem. Identifying network vulnerabilities requires adding multiple combinations of factors to guard against the possibility of credentials being stolen or misused.

NIST releases continuous monitoring guidance

By

The National Institute of Standards and Technology late last week published new guidance to help organizations develop and implement an information security continuous monitoring (ISCM) program. This initiative can help companies better provide ongoing awareness of threats and vulnerabilities, assess the effectiveness of deployed security controls and support risk management decisions, according to the 80-page guidance document. A mature ISCM program, which requires the use of both automated and manual processes, will enable companies to move from compliance-driven to data-driven risk management.

Report says firms must rethink patching strategy

By

Organizations should consider risk when fixing vulnerabilities, especially considering most bugs are present in third-party applications.

DHS unveils new programs for software security

By

Software buyers may soon have access to more secure offerings, thanks to a new scoring system that will allow end-users to demand more assurance.

Exploits begin for patched Internet Explorer bug

By

Attackers are now actively exploiting one of the 11 Internet Explorer (IE) vulnerabilities patched Tuesday by Microsoft, a Symantec researcher said Friday

Standardized vulnerability reporting framework unveiled

By

The new Common Vulnerability Reporting Framework (CVRF) was designed to provide a common method for the creation, dissemination and consumption of security vulnerability data.

Oracle readies 73 patches in security update

By

Oracle has announced plans to issue 73 patches on Tuesday as part of its quarterly security update. Some of the vulnerabilities affect multiple products.The fixes address vulnerabilities across the database giant's portfolio, and the most severe flaws reside in JRockit, part of Oracle Fusion Middleware, and in Sun GlassFish Enterprise Server, part of the Sun products suite. Oracle encouraged users to update as soon as possible to avoid exploits.

Exploits underway for IE flaw, to be patched today

By

Attackers are exploiting an Internet Explorer flaw ahead of a planned Tuesday fix for the vulnerability, according to the Microsoft Security Response Center. "We're looking into limited, targeted attacks on a known Internet Explorer issue we're addressing in tomorrow's bulletins," read a Monday tweet. Microsoft is readying 17 patches to address 64 vulnerabilities in its April security update, including publicly known issues in in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler and Windows Server Message Block.

Adobe battles yet another Flash Player zero-day bug

By

Adobe has its hands full with another Flash zero-day vulnerability, this one being actively exploited to target users under the guise of a legitimate Microsoft Word document.

Microsoft's April patch batch to address 64 flaws

By

Microsoft's planned security update for next week likely will include a fix for a vulnerability that is being actively exploited.

Number of reported vulnerabilities spiked in 2010

By

System flaws and exploits dramatically jumped last year, but the news is not all bad, as many of the bugs were discovered by their creators.

Managing virtualization: Interview with Rob Juncker, VP of technology, Shavlik

By

As virtualization becomes more mainstream, even in small and midsize organizations, security professionals must consider the risks of managing this emerging technology. Threats such as VM sprawl, in which IT departments lose visibility of their virtual assets, creates the potential of unpatched and vulnerable machines. Rob Juncker, VP of technology at Shavlik, sits down with SC Magazine Executive Editor Dan Kaplan to explain why organizations must apply the same security principles to their virtual machines as they do for their traditional computing systems.

Adobe advises of Flash flaw exploited via Excel docs

By

Adobe on Monday warned of a "critical" zero-day vulnerability in Flash Player that attackers currently are exploiting through Microsoft Excel files.

Microsoft closes four vulnerabilities, including DLL issues

By

Microsoft on Tuesday issued three patches to close four vulnerabilities that try to use a new remote attack vector to spread malware.

Microsoft fixes coming for Office, Windows flaws

By

Three fixes from Microsoft await security administrators next week, the software giant announced Thursday.

Microsoft kicks off 2011 with light patch load

By

Tuesday's security update is comprised of two fixes for three vulnerabilities, but it does not address two publicly known flaws.

Fixes for two Windows flaws coming from Microsoft

By

Microsoft is letting administrators ease their way into the New Year, with plans to issue only two patches next week.

WordPress to users: Put down the eggnog and patch

By

WordPress is urging customers to install the latest version of its popular blogging software to close a "core security bug" that could be exploited to launch cross-site scripting attacks against vulnerable installations. Version 3.0.4 fixes the "critical" issue, present in the HTML sanitation library, and is available for download. "I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for," Matt Mullenweg, WordPress creator, wrote in a blog post on Wednesday. "In the spirit of the holidays, consider helping your friends as well. - DK

Microsoft confirms IE flaw, not yet being exploited

By

Microsoft has confirmed the presence of an unpatched vulnerability in all versions of its Internet Explorer (IE) browser.

Apple releases QuickTime 7.6.9 to fix 15 flaws

By

Apple this week released an update to its QuickTime multimedia player to fix 15 vulnerabilities that may allow an attacker to execute arbitrary code or obtain sensitive information, according to a security advisory. QuickTime 7.6.9 is available for machines running Mac OS X 10.5 (Leopard) and Windows 7, Vista, and XP SP 2 or later. The vulnerabilities, which could be exploited by tricking a user into viewing a maliciously crafted video or image file, already were fixed in Snow Leopard, with the Mac OS X 10.6.5 update that was released in November. — AM

Barracuda first security vendor to pay for bug finds

By

Email and web security provider Barracuda Networks announced Tuesday that it has launched a bug bounty program, becoming what is believed to be the first security vendor to award money to researchers who uncover vulnerabilities in its product line. Flaw finders can cash in between $500 and $3133.70 for locating bugs that compromise confidentiality, availability, integrity or authentication, according to Barracuda. Software providers such as Google and Mozilla offer similar programs. - DK

New Internet Explorer bug found in the wild

By

Microsoft on Wednesday warned of a fresh flaw in Internet Explorer that researchers at Symantec found was being exploited on a legitimate website.

Adobe discloses "critical" bug in Shockwave Player

By

Adobe on Thursday revealed a "critical" vulnerability impacting its Shockwave Player. The flaw, present in Shockwave 11.5.8.612 and earlier versions for Windows and Macintosh, could allow an attacker to assume total system control, according to a security bulletin. Though Adobe is not aware of any in-the-wild attacks, the bug has been disclosed publicly. The company did not say when a fix would be released. The current version of Shockwave was released in August to plug 20 holes. — DK

Sign up to our newsletters