Vulnerability Prioritization & the Magic 8 Ball

October 10, 2024 at 07:08AM The CVE program, celebrating 25 years, has significantly advanced vulnerability management despite persistent challenges like inconsistency in CVE issuance, subjective severity scoring, and the automation of CVE creation. Effective patching requires a nuanced approach, prioritizing critical systems to mitigate risks from potential attacks across all system layers. ### Meeting Takeaways … Read more

Hackers use PoC exploits in attacks 22 minutes after release

July 14, 2024 at 11:37AM Cloudflare’s 2024 Application Security report highlights the rapid weaponization of proof-of-concept exploits, with attackers acting as quickly as 22 minutes after publication. The report identifies the most targeted CVEs, emphasizing the need for AI assistance to develop effective detection rules. Additionally, the report reveals a significant increase in DDoS traffic, … Read more

Attackers Already Exploiting Flaws in Microsoft’s July Security Update

July 9, 2024 at 05:13PM July’s Microsoft security update addresses 139 CVEs, including actively exploited vulnerabilities and a public Intel microprocessor issue. Notably, two zero-day bugs were identified, posing a moderate threat. Additionally, critical vulnerabilities affecting Windows Remote Desktop Licensing Service require immediate attention, with a recommendation to disable the service if not in use. … Read more

Developing a Plan to Respond to Critical CVEs in Open Source Software

June 7, 2024 at 10:09AM The tech industry faced wake-up calls in 2020 and 2021 with incidents like SolarWinds, Log4j, and Kaseya’s VSA, emphasizing the critical need to refine response strategies to vulnerabilities and supply chain attacks. Both large and small organizations must prioritize comprehensive asset inventories and software bills of materials to effectively respond … Read more

Researchers call out QNAP for dragging its heels on patch development

May 20, 2024 at 10:07AM QNAP’s vulnerabilities disclosed by watchTowr revealed 15 issues, with only 4 addressed. Six are accepted with no available patches, while the rest are still under embargo or have no solution. QNAP has a history of ransomware attacks and slow patching. CVE-2024-27130, with potential RCE, remains unpatched despite being acknowledged by … Read more

2 (or 5) Bugs in F5 Asset Manager Allow Full Takeover, Hidden Accounts

May 9, 2024 at 05:16PM Newly discovered vulnerabilities in F5 Networks’ BIG-IP Next Central Manager could allow attackers to gain full control and create hidden accounts in F5-brand assets. These vulnerabilities have been assigned CVEs and patched by the vendor. Additional bugs affecting the Central Manager still pose threats, allowing attackers to wreak havoc despite … Read more

Supply Chain Breaches Up 68% Year Over Year, According to DBIR

May 6, 2024 at 07:57PM Supply chain breaches rose steeply in 2023, with 15% involving third parties, up from 9% in 2022. Verizon’s DBIR considers not only vendor compromises but also vulnerabilities in third-party software. Exploited vulnerabilities, primarily in ransomware attacks, were the most common issue, prompting the suggestion to assess vendor choices and prioritize … Read more

Oracle Patches 230 Vulnerabilities With April 2024 CPU

April 17, 2024 at 07:19AM Oracle released 441 new security patches in April 2024, with over 200 addressing flaws exploitable by remote, unauthenticated attackers. Oracle Communications received the most patches (93), followed by Fusion Middleware (51) and Financial Services Applications (49). Additionally, separate fixes were released for vulnerabilities affecting multiple applications. Customers are advised to … Read more

Apple Stingy With Details About Latest iOS Update

March 22, 2024 at 02:47PM Apple has released a security update for iOS 17.4, soon after its initial launch. However, the company has not provided details regarding specific vulnerabilities (CVEs) or information about the fixes in this update. Based on the meeting notes, it seems that the security update released by Apple shortly after iOS … Read more

Oracle Patches 200 Vulnerabilities With January 2024 CPU

January 17, 2024 at 06:30AM Oracle issued 389 new security patches in its January 2024 Critical Patch Update, addressing numerous critical-severity vulnerabilities. The update covers over 200 unique CVEs, with emphasis on Financial Services Applications, Communications, and MySQL. Oracle urges prompt patch application, warning of potential in-the-wild exploitation. The company plans three more Critical Patch … Read more