Vulnerability Management

An educated decision: Network smarts at WVU

February 03, 2012

West Virginia University was looking to protect student and staff data. It found a software solution to assist in the process, reports Greg Masters.
 

A look at vulnerability assessment tools

February 01, 2012

If one wants to address a vulnerability, one needs to add vulnerability management.
 

New Java exploit one of many impacting firms

December 01, 2011

A new exploit, which has made its way into the Metasploit framework, underscores the danger posed by Java vulnerabilities, which are responsible for many of today's enterprise malware threats.
 

Best Vulnerability Management & Best Web Application Firewall

November 08, 2011

Throughout the day, SC Magazine will be announcing the finalists from each of its 32 award categories, covering the Reader Trust, Professional and Excellence sections.
 

Adobe releases critical Shockwave Player security update

November 08, 2011

The flaws corrected by an Adobe Shockwave Player update could allow an attacker to run malicious code on an affected system.
 

Recent attacks cost Energy Department at least $2M

October 25, 2011

The attacks, which occurred at four department locations, were not described in detail, but were deemed "successful" for adversaries, according to the annual audit.
 

NIST releases continuous monitoring guidance

October 05, 2011

The National Institute of Standards and Technology late last week published new guidance to help organizations develop and implement an information security continuous monitoring (ISCM) program. This initiative can help companies better provide ongoing awareness of threats and vulnerabilities, assess the effectiveness of deployed security controls and support risk management decisions, according to the 80-page guidance document. A mature ISCM program, which requires the use of both automated and manual processes, will enable companies to move from compliance-driven to data-driven risk management.
 

Report says firms must rethink patching strategy

July 15, 2011

Organizations should consider risk when fixing vulnerabilities, especially considering most bugs are present in third-party applications.
 

DHS unveils new programs for software security

June 27, 2011

Software buyers may soon have access to more secure offerings, thanks to a new scoring system that will allow end-users to demand more assurance.
 

Exploits begin for patched Internet Explorer bug

June 17, 2011

Attackers are now actively exploiting one of the 11 Internet Explorer (IE) vulnerabilities patched Tuesday by Microsoft, a Symantec researcher said Friday
 

Standardized vulnerability reporting framework unveiled

May 17, 2011

The new Common Vulnerability Reporting Framework (CVRF) was designed to provide a common method for the creation, dissemination and consumption of security vulnerability data.
 

Oracle readies 73 patches in security update

April 15, 2011

Oracle has announced plans to issue 73 patches on Tuesday as part of its quarterly security update. Some of the vulnerabilities affect multiple products.The fixes address vulnerabilities across the database giant's portfolio, and the most severe flaws reside in JRockit, part of Oracle Fusion Middleware, and in Sun GlassFish Enterprise Server, part of the Sun products suite. Oracle encouraged users to update as soon as possible to avoid exploits.
 

Exploits underway for IE flaw, to be patched today

April 12, 2011

Attackers are exploiting an Internet Explorer flaw ahead of a planned Tuesday fix for the vulnerability, according to the Microsoft Security Response Center. "We're looking into limited, targeted attacks on a known Internet Explorer issue we're addressing in tomorrow's bulletins," read a Monday tweet. Microsoft is readying 17 patches to address 64 vulnerabilities in its April security update, including publicly known issues in in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler and Windows Server Message Block.
 

Adobe battles yet another Flash Player zero-day bug

April 11, 2011

Adobe has its hands full with another Flash zero-day vulnerability, this one being actively exploited to target users under the guise of a legitimate Microsoft Word document.
 

Microsoft's April patch batch to address 64 flaws

April 07, 2011

Microsoft's planned security update for next week likely will include a fix for a vulnerability that is being actively exploited.
 

Number of reported vulnerabilities spiked in 2010

April 06, 2011

System flaws and exploits dramatically jumped last year, but the news is not all bad, as many of the bugs were discovered by their creators.
 

Managing virtualization: Interview with Rob Juncker, VP of technology, Shavlik

March 15, 2011

As virtualization becomes more mainstream, even in small and midsize organizations, security professionals must consider the risks of managing this emerging technology. Threats such as VM sprawl, in which IT departments lose visibility of their virtual assets, creates the potential of unpatched and vulnerable machines. Rob Juncker, VP of technology at Shavlik, sits down with SC Magazine Executive Editor Dan Kaplan to explain why organizations must apply the same security principles to their virtual machines as they do for their traditional computing systems.
 

Adobe advises of Flash flaw exploited via Excel docs

March 14, 2011

Adobe on Monday warned of a "critical" zero-day vulnerability in Flash Player that attackers currently are exploiting through Microsoft Excel files.
 

Microsoft closes four vulnerabilities, including DLL issues

March 08, 2011

Microsoft on Tuesday issued three patches to close four vulnerabilities that try to use a new remote attack vector to spread malware.
 

Microsoft fixes coming for Office, Windows flaws

March 03, 2011

Three fixes from Microsoft await security administrators next week, the software giant announced Thursday.
 

Microsoft kicks off 2011 with light patch load

January 11, 2011

Tuesday's security update is comprised of two fixes for three vulnerabilities, but it does not address two publicly known flaws.
 

Fixes for two Windows flaws coming from Microsoft

January 06, 2011

Microsoft is letting administrators ease their way into the New Year, with plans to issue only two patches next week.
 

WordPress to users: Put down the eggnog and patch

December 30, 2010

WordPress is urging customers to install the latest version of its popular blogging software to close a "core security bug" that could be exploited to launch cross-site scripting attacks against vulnerable installations. Version 3.0.4 fixes the "critical" issue, present in the HTML sanitation library, and is available for download. "I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for," Matt Mullenweg, WordPress creator, wrote in a blog post on Wednesday. "In the spirit of the holidays, consider helping your friends as well. - DK
 

Microsoft confirms IE flaw, not yet being exploited

December 23, 2010

Microsoft has confirmed the presence of an unpatched vulnerability in all versions of its Internet Explorer (IE) browser.
 

Apple releases QuickTime 7.6.9 to fix 15 flaws

December 09, 2010

Apple this week released an update to its QuickTime multimedia player to fix 15 vulnerabilities that may allow an attacker to execute arbitrary code or obtain sensitive information, according to a security advisory. QuickTime 7.6.9 is available for machines running Mac OS X 10.5 (Leopard) and Windows 7, Vista, and XP SP 2 or later. The vulnerabilities, which could be exploited by tricking a user into viewing a maliciously crafted video or image file, already were fixed in Snow Leopard, with the Mac OS X 10.6.5 update that was released in November. — AM
 

Barracuda first security vendor to pay for bug finds

November 09, 2010

Email and web security provider Barracuda Networks announced Tuesday that it has launched a bug bounty program, becoming what is believed to be the first security vendor to award money to researchers who uncover vulnerabilities in its product line. Flaw finders can cash in between $500 and $3133.70 for locating bugs that compromise confidentiality, availability, integrity or authentication, according to Barracuda. Software providers such as Google and Mozilla offer similar programs. - DK
 

New Internet Explorer bug found in the wild

November 03, 2010

Microsoft on Wednesday warned of a fresh flaw in Internet Explorer that researchers at Symantec found was being exploited on a legitimate website.
 

Adobe discloses "critical" bug in Shockwave Player

October 21, 2010

Adobe on Thursday revealed a "critical" vulnerability impacting its Shockwave Player. The flaw, present in Shockwave 11.5.8.612 and earlier versions for Windows and Macintosh, could allow an attacker to assume total system control, according to a security bulletin. Though Adobe is not aware of any in-the-wild attacks, the bug has been disclosed publicly. The company did not say when a fix would be released. The current version of Shockwave was released in August to plug 20 holes. — DK
 

Google releases Chrome 7 stable channel update

October 21, 2010

Google on Tuesday released a "stable channel" version of its Chrome 7 web browser, with fixes for a number of vulnerabilities. Version 7.0.517.41 for Windows, Mac and Linux includes fixes for at least 11 flaws, which could allow an attacker to execute arbitrary code, cause a denial-of-service, conduct URL spoofing or bypass security restrictions, according to an advisory from the US-CERT. The one critical flaw listed in the bunch could cause a browser crash due to an issue involving the form auto-fill capability. Of the remaining flaws, five were rated "high," three were listed "medium" and one "low." — AM
 

Another record number of flaws to be fixed by Microsoft

October 07, 2010

Microsoft's October security update will be a doozie, as 16 patches for 49 vulnerabilities is planned.
 
Powered by Disqus
Popular Topics
Analyst Reports & Industry Surveys Android Anonymous Breaches & Exposures Canada Data Breaches DNS Education Finance Government Hackers Hacktivism Health Care Lawbreakers & Cybercrime Lawsuit Legislation LulzSec Malware Mobile Applications Mobile Devices Patch Management PCI Compliance SC Awards 2012 Trojans Vulnerabilities & Flaws