Qualys Community

1002 posts

Qualys Policy Compliance Notification: Policy Library Update

Qualys’ library of built-in policies makes it easy to comply with commonly adhered to security standards and regulations. Qualys provides a wide range of policies, including many that have been certified by CIS as well as ones based on security guidelines from vendors such as Microsoft and VMware.

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library monthly.

Continue reading …

Critical Cisco VPN Flaw

Cisco published this week an advisory for the critical vulnerability CVE-2016-1287 in its ASA line of firewalls that have IKEv1/2 VPNs configured.  An exploit for the vulnerability would allow an unauthenticated, remote attacker to execute code on the device. A technical breakdown of the vulnerability can be found in the blog post at Exodus Intelligence who reported the vulnerability to Cisco. Exodus Intelligence is a 0-day research company, so this showcases some of their capabilities, while at the same time raises the question as to why they would publish the vulnerability rather than add it to their portfolio.

Continue reading …

Patch Tuesday February 2016

We are back to normal numbers on Patch Tuesday. After a light start with nine bulletins in January we are getting 12 bulletins (five critical) in February, which is in line with the average count for last year: 12.25/month:

Continue reading …

Newest Java Addresses Binary Planting Vulnerability

Oracle published a new version of Java 8, 7 and 6 to address a vulnerability in the installer. CVE-2016-0603 addresses a flaw where the attacker would seed the system with malicious DLLs that the installer would use instead of the DLLs included in the package itself. This type of vulnerability is generally known as binary planting.

As Oracle points out existing installations are not at risk. New installations should use the latest fixed packages to address the case where an end user might have visited a malicious site which could have prepared the machine for the attack by downloading altered versions of one of the DLLs involved. Fixed versions of Java are 6 update 113, 7 update 97 and 8 update 73.


What is the Apex Predator Doing to Get Your Information?

This week at the USENIX Enigma 2016 Security conference the final talk was given by Rob Joyce, Chief of the NSA’s Tailored Access Operations (TAO). TAO is the offensive unit of the NSA that got much coverage following the public disclosure of internal NSA documents by Edward Snowden, with some of their arsenal of exploitation tools documented.

Continue reading …

Oracle Critical Patch Update January 2016

Oracle has published their Critical Patch Update (CPU) for January 2016. The Oracle CPU is quarterly and addresses the flaws in large Oracle’s product line, including their core product the relational database, but also in a large number of acquisitions like Solaris, MySQL, Java and many of the end-user products, such as JDEdwards ERP, Peoplesoft and CRM.

Continue reading …

Hunting For Vulnerable Functions In Microsoft Silverlight MS16-006

This week Microsoft released a patch for a critical Silverlight issue, MS16-006, and since I worked on Silverlight signatures in the past it caught my eye. It’s a Remote Code Execution vulnerability which allows attackers to run code of his or her choice on the victim machine. I had a hunch that something more was hiding. I started to analyze it as soon as I finished writing signatures for the existing patch. When I was working on the analysis Kaspersky Lab published a great blog post about the story of this vulnerability.

In this blog, I’m presenting analysis of a different function that was also fixed in the same patch.

Continue reading …

Update: Patch Tuesday January 2016

Update: Kaspersky who is credited with finding MS16-006,the critical Silverlight vulnerability just published their story on how the bug was found. Very interesting, has to do with the Hacking Team breach and coding "standards" – take a look at their blog post for more info. They also made clear that this vulnerability is under attack in the wild and that we are looking at a true 0-day here. This changes our priorities – we now put MS16-006 at the top of our list. Take a look at your installations, see if you have Silverlight installed and address the flaw as soon as possible.

Original: The first Patch Tuesday of 2016 turns out to be low in numbers, but broad and packing quite a punch: six of the nine bulletins are rated critical, including the Windows Kernel and Office bulletins. In addition some rather important products are going End-of-Life and get their last patch update today. Microsoft is retiring support for all older browsers on each platform and will from here on only maintain the newest browser on each version of the OS.

Continue reading …