The pace of vulnerability disclosure shows no signs of slowing

Unless the pace of vulnerability disclosure slows down in the coming quarters, we are looking at yet another record-breaking year, according to Risk Based Security’s 2018 Q1 Vulnerability QuickView Report. Note that bug bounties are a subset of the ‘Coordinated Disclosures’ total Key findings 5,375 unique vulnerabilities were reported. This is just a 1.8% increase over the same period in 2017. Note that this number will continue to rise throughout 2018. 1,790 (33.3%) of the … More

The importance of threat intelligence and vulnerability remediation prioritization

In this podcast recorded at RSA Conference 2018, Jimmy Graham, Director of Product Management, Vulnerability Management at Qualys, talks about the importance of threat intelligence and vulnerability remediation prioritization. Here’s a transcript of the podcast for your convenience. Hi, my name is Jimmy Graham and I’m the Director of Product Management, Vulnerability Management at Qualys. In this Help Net Security podcast I’ll be talking about the importance of threat intelligence and vulnerability remediation prioritization. So, … More

New Drupal RCE vulnerability under active exploitation, patch ASAP!

Yet another Drupal remote code execution vulnerability has been patched by the Drupal security team, who urge users to implement the offered updates immediately as the flaw is being actively exploited in the wild. The vulnerability (CVE-2018-7602) affects Drupal versions 7.x and 8.x. Users should upgrade to v7.59 and 8.5.3. Those who, for whatever reason, can’t implement the update can implement standalone patches, but before doing so they have to apply the fix from SA-CORE-2018-002 … More

Expand vulnerability and risk management programs to eliminate security misconfigurations

In this podcast recorded at RSA Conference 2018, Tim White, Director of Product Management, Policy Compliance at Qualys, discusses how expanding vulnerability and risk management programs can eliminate security misconfigurations. Many don’t realize misconfigurations can be exploited just as easily as a vulnerable piece of software to result in compromise. Here’s a transcript of the podcast for your convenience. Hi, my name is Tim White with Qualys. I am the Director of Product Management for … More

Illumio and Qualys integrate to deliver vulnerability-based micro-segmentation

Illumio announced new global vulnerability mapping capabilities on its Adaptive Security Platform. Vulnerability and threat data from the Qualys Cloud Platform is integrated with Illumio application dependency mapping to show potential attack paths in real time. Automated vulnerability-based policy recommendations: mitigate vulnerabilities without breaking your application. The integration between the Qualys Cloud Platform and Illumio delivers vulnerability maps, enabling organizations to see connections to vulnerabilities within and between applications. This new capability also includes an … More

Critical vulnerability opens Cisco switches to remote attack

A critical vulnerability affecting many of Cisco’s networking devices could be exploited by unauthenticated, remote attackers to take over vulnerable devices or trigger a reload and crash. The company says that the vulnerability is not actively exploited in the wild, but as information about it and Proof-of-Concept code has now been published network administrators would do well to install the released security updates as soon a possible. About the vulnerability (CVE-2018-0171) The flaw was discovered … More

Exim vulnerability opens 400,000 servers to remote code execution

If you’re using the Exim mail transfer agent on your Internet-connected Unix-like systems and you haven’t yet upgraded to version 4.90.1, now is the time to do it as all previous versions contain a vulnerability that can be exploited to achieve remote code execution. About the Exim remote code execution vulnerability The buffer overflow vulnerability in the base64 decode function of Exim (CVE-2018-6789) was discovered and reported by Meh Chang of the DEVCORE research team … More

Week in review: Vulnerability tracking, GDPR quick guide, tackling the insider threat

Here’s an overview of some of last week’s most interesting news and articles: Intel offers to pay for Spectre-like side channel vulnerabilities Intel is expanding the bug bounty program it started last March, and is raising considerably the awards it plans to give out for helpful vulnerability information. The company is, simultaneously, starting a new bug bounty program focused specifically on side channel vulnerabilities, i.e., vulnerabilities that are rooted in Intel hardware but can be … More

Still relying solely on CVE and NVD for vulnerability tracking? Bad idea

2017 broke the previous all-time record for the highest number of reported vulnerabilities. The 20,832 vulnerabilities cataloged during 2017 by Risk Based Security (VulnDB) eclipsed the total covered by MITRE’s Common Vulnerability Enumeration (CVE) and the National Vulnerability Database (NVD) by more than 7,900. “Incredibly, we see too many companies still relying on CVE and NVD for vulnerability tracking, despite the US government funded organization falling short year after year. While some argue that the … More

Vulnerability in ISC BIND leads to DoS, patch today!

The Internet Systems Consortium has released security updates for BIND, the most widely used Domain Name System (DNS) software on the Internet, and a patch for ISC DHCP, its open source software that implements the Dynamic Host Configuration Protocol for connection to an IP network. BIND update The BIND update should be implemented as soon as possible: the vulnerability (CVE-2017-3145) can lead to denial-of-service and crash, and instances of that happening have been reported by … More