Vulnerability Management News, Articles and Updates
Fortinet's Greg Fitzgerald discusses major vulnerabilities, data management, and privacy and compliance issues in the industry at this year's RSA Conference 2012 in San Francisco.
West Virginia University was looking to protect student and staff data. It found a software solution to assist in the process, reports Greg Masters.
If one wants to address a vulnerability, one needs to add vulnerability management.
A new exploit, which has made its way into the Metasploit framework, underscores the danger posed by Java vulnerabilities, which are responsible for many of today's enterprise malware threats.
Throughout the day, SC Magazine will be announcing the finalists from each of its 32 award categories, covering the Reader Trust, Professional and Excellence sections.
The flaws corrected by an Adobe Shockwave Player update could allow an attacker to run malicious code on an affected system.
The attacks, which occurred at four department locations, were not described in detail, but were deemed "successful" for adversaries, according to the annual audit.
Web applications are a major cause of network breaches, and new attacks are continually occurring just out of view. While a two-factor authentication approach can reduce vulnerabilities, this system alone will not eliminate the problem. Identifying network vulnerabilities requires adding multiple combinations of factors to guard against the possibility of credentials being stolen or misused.
The National Institute of Standards and Technology late last week published new guidance to help organizations develop and implement an information security continuous monitoring (ISCM) program. This initiative can help companies better provide ongoing awareness of threats and vulnerabilities, assess the effectiveness of deployed security controls and support risk management decisions, according to the 80-page guidance document. A mature ISCM program, which requires the use of both automated and manual processes, will enable companies to move from compliance-driven to data-driven risk management.
Organizations should consider risk when fixing vulnerabilities, especially considering most bugs are present in third-party applications.
Software buyers may soon have access to more secure offerings, thanks to a new scoring system that will allow end-users to demand more assurance.
Attackers are now actively exploiting one of the 11 Internet Explorer (IE) vulnerabilities patched Tuesday by Microsoft, a Symantec researcher said Friday
The new Common Vulnerability Reporting Framework (CVRF) was designed to provide a common method for the creation, dissemination and consumption of security vulnerability data.
Oracle has announced plans to issue 73 patches on Tuesday as part of its quarterly security update. Some of the vulnerabilities affect multiple products.The fixes address vulnerabilities across the database giant's portfolio, and the most severe flaws reside in JRockit, part of Oracle Fusion Middleware, and in Sun GlassFish Enterprise Server, part of the Sun products suite. Oracle encouraged users to update as soon as possible to avoid exploits.
Attackers are exploiting an Internet Explorer flaw ahead of a planned Tuesday fix for the vulnerability, according to the Microsoft Security Response Center. "We're looking into limited, targeted attacks on a known Internet Explorer issue we're addressing in tomorrow's bulletins," read a Monday tweet. Microsoft is readying 17 patches to address 64 vulnerabilities in its April security update, including publicly known issues in in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler and Windows Server Message Block.
Adobe has its hands full with another Flash zero-day vulnerability, this one being actively exploited to target users under the guise of a legitimate Microsoft Word document.
Microsoft's planned security update for next week likely will include a fix for a vulnerability that is being actively exploited.
System flaws and exploits dramatically jumped last year, but the news is not all bad, as many of the bugs were discovered by their creators.
As virtualization becomes more mainstream, even in small and midsize organizations, security professionals must consider the risks of managing this emerging technology. Threats such as VM sprawl, in which IT departments lose visibility of their virtual assets, creates the potential of unpatched and vulnerable machines. Rob Juncker, VP of technology at Shavlik, sits down with SC Magazine Executive Editor Dan Kaplan to explain why organizations must apply the same security principles to their virtual machines as they do for their traditional computing systems.
Adobe on Monday warned of a "critical" zero-day vulnerability in Flash Player that attackers currently are exploiting through Microsoft Excel files.
Microsoft on Tuesday issued three patches to close four vulnerabilities that try to use a new remote attack vector to spread malware.
Three fixes from Microsoft await security administrators next week, the software giant announced Thursday.
Tuesday's security update is comprised of two fixes for three vulnerabilities, but it does not address two publicly known flaws.
Microsoft is letting administrators ease their way into the New Year, with plans to issue only two patches next week.
WordPress is urging customers to install the latest version of its popular blogging software to close a "core security bug" that could be exploited to launch cross-site scripting attacks against vulnerable installations. Version 3.0.4 fixes the "critical" issue, present in the HTML sanitation library, and is available for download. "I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for," Matt Mullenweg, WordPress creator, wrote in a blog post on Wednesday. "In the spirit of the holidays, consider helping your friends as well. - DK
Microsoft has confirmed the presence of an unpatched vulnerability in all versions of its Internet Explorer (IE) browser.
Apple this week released an update to its QuickTime multimedia player to fix 15 vulnerabilities that may allow an attacker to execute arbitrary code or obtain sensitive information, according to a security advisory. QuickTime 7.6.9 is available for machines running Mac OS X 10.5 (Leopard) and Windows 7, Vista, and XP SP 2 or later. The vulnerabilities, which could be exploited by tricking a user into viewing a maliciously crafted video or image file, already were fixed in Snow Leopard, with the Mac OS X 10.6.5 update that was released in November. — AM
Email and web security provider Barracuda Networks announced Tuesday that it has launched a bug bounty program, becoming what is believed to be the first security vendor to award money to researchers who uncover vulnerabilities in its product line. Flaw finders can cash in between $500 and $3133.70 for locating bugs that compromise confidentiality, availability, integrity or authentication, according to Barracuda. Software providers such as Google and Mozilla offer similar programs. - DK
Microsoft on Wednesday warned of a fresh flaw in Internet Explorer that researchers at Symantec found was being exploited on a legitimate website.
Adobe on Thursday revealed a "critical" vulnerability impacting its Shockwave Player. The flaw, present in Shockwave 184.108.40.2062 and earlier versions for Windows and Macintosh, could allow an attacker to assume total system control, according to a security bulletin. Though Adobe is not aware of any in-the-wild attacks, the bug has been disclosed publicly. The company did not say when a fix would be released. The current version of Shockwave was released in August to plug 20 holes. — DK
SC Magazine Articles
- GCHQ infosec group disclosed kernel privilege exploit to Apple
- Adobe Flash remains threat as users fail to update, researchers
- Russian bank app changes password when users attempt removal
- CEO sacked after aircraft company grounded by whaling attack
- Update: 117 million LinkedIn email credentials found for sale on the dark web
- Some U.S. Bancorp workers' W-2 info exposed in ADP data breach
- Spearphishing attack nets $495K from investment firm
- Updated: Gmail, Yahoo email credentials among millions found on the dark web
- APWG report: Phishing surges by 250 percent in Q1 2016
- Adobe Flash remains threat as users fail to update, researchers
- Chrome 51 serves up 42 security fixes, $65K in bug bounties
- Reddit resets passwords after LinkedIn data dump
- The Southeast Eye Institute patient information compromised
- Microsoft warns of new, self-propagating ransomware in the wild
- Email error leaks hundreds of Northern Ireland prison officer details