Organizations that use automated scanners to test the security of their web apps must watch out for instances where these tools may trigger user account lockouts inadvertently. Here we explain why this occurs and offer some tips for how to prevent this from happening with Qualys Web Application Scanning (WAS).
In early 2009, SSL Labs was just this idea I had, born out of frustration with having to deal with a very complex subject without good documentation and tools. I wanted something that worked for me, and didn’t really anticipate that it could become as popular as it is today. The first version launched in the summer of that same year.
Update: Adobe released the patch for Adobe Flash that addresses the current 0-day CVE-2016-4117 in APSB16-15. It also patches another 24 vulnerabilities that are mostly rated critical. Patch as quickly as possible. Chrome and Internet Explorer 11/Edge users will get their patches from Google and Microsoft automatically.
Original: Today is the second Tuesday of the month, when both Microsoft and Adobe publish the security updates to their products – the so-called Patch Tuesday.
But before we get into the details of their updates for the month (17 in all) let’s reiterate the urgency of another vulnerability that might have slipped by you. The popular open source program ImageMagick is currently under active attack on the Internet. Vulnerability CVE-2016-3714 (called ImageTragick in the associated vulnerability branding campaign) allows for remote code execution (RCE) through image uploads. At the moment no patch is available, but a workaround has been published that neutralizes current attacks. We recommend the same thing the attackers are doing: scan your infrastructure for occurrences of ImageMagick and then apply the workaround in the policy.xml file. I did this immediately on my sites, even though I use ImageMagick only in commandline mode for thumbnail creation. BTW, the workaround has become more complete over the last 2 weeks, so it is worth taking another look even if you have applied it already…
By now, security pros everywhere have heard about SAMSAM, the sinister ransomware attack that exploits years-old vulnerabilities in JBoss and has hit hospitals particularly hard. The spread and “success” of SAMSAM shines the spotlight on the well-known infosec problem of prioritizing vulnerability remediation work.
We are releasing an update to the grading criteria, version 2009m, to respond to the discovery of the OpenSSL vulnerability CVE-2016-2107 announced in the OpenSSL Security Advisory [3rd May 2016]. This vulnerability can be exploited by MITM attacker using a padding Oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server supports AES-NI.
With the rise in attacks against web applications, cyber security teams naturally have prioritized the elimination of high-risk threats, such as SQL injections and cross-site scripting (XSS) vulnerabilities. The flip side of this is that many cybersecurity teams choose to ignore or delay the remediation of low-level security vulnerabilities in their web applications. Unfortunately, this isn’t a wise strategy. Underestimating the importance of fixing low-level security issues could create a major problem for an organization. Why? By exploiting a combination of seemingly trivial vulnerabilities, attackers can sometimes open up a big security gap that lets them do extreme damage. In this article, I will demonstrate such a scenario, showing how by taking advantage of several unfixed low-level security issues, an attacker could gain full administrator access to a popular web application.