Qualys Community

1028 posts

How Ignoring Low-Level Security Risks Can Open the Door to Major Attacks

With the rise in attacks against web applications, cyber security teams naturally have prioritized the elimination of high-risk threats, such as SQL injections and cross-site scripting (XSS) vulnerabilities. The flip side of this is that many cybersecurity teams choose to ignore or delay the remediation of low-level security vulnerabilities in their web applications. Unfortunately, this isn’t a wise strategy. Underestimating the importance of fixing low-level security issues could create a major problem for an organization. Why? By exploiting a combination of seemingly trivial vulnerabilities, attackers can sometimes open up a big security gap that lets them do extreme damage. In this article, I will demonstrate such a scenario, showing how by taking advantage of several unfixed low-level security issues, an attacker could gain full administrator access to a popular web application.

Continue reading …

Oracle Critical Patch Update April 2016

This week Oracle released their quarterly Critical Patch Update (CPU) for April 2016. The CPU addresses 136 vulnerabilities in 49 products, including Java, Solaris, several middleware products, VirtualBox, the MySQL database and the original Oracle database.

Continue reading …

Qualys Cloud Platform 2.13 New Features

A new release of the Qualys Cloud Platform (AssetView 2.13, Cloud Agent Platform 1.4.4) includes several new features for AssetView and Cloud Agent, and introduces our newest capability to the Qualys product family, ThreatPROTECT.

Continue reading …

Qualys Cloud Agent Client 1.4 Now Available

I’m pleased to announce the general availability of the Qualys Cloud Agent Client version 1.4 for Windows and Linux. This release includes a number of fixes as well as snapshot performance improvements.

Continue reading …

WAS 4.7 Adds Enhanced Support for Redundant Link Checks

We are pleased to announce Qualys Web Application Scanning 4.7 (WAS) featuring new and enhanced support for redundant and customizable link checks.

Continue reading …

Qualys Policy Compliance Notification: Policy Library Update

Qualys’ library of built-in policies makes it easy to comply with commonly adhered to security standards and regulations. Qualys provides a wide range of policies, including many that have been certified by CIS as well as ones based on security guidelines from vendors such as Microsoft and VMware.

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library monthly.

Continue reading …

Patch Tuesday April 2016

It is time for Patch Tuesday April 2016, and we have some insight into what is coming at us already. Last week Adobe had to anticipate their monthly Adobe Flash Player (APSB16-10) patch to help their users defend against a 0-day that was being exploited in the wild and a couple of weeks ago we heard of the “Badlock” vulnerability from the Samba development team – both Windows and Samba on Linux/Unix are affected.

Continue reading …

Update: Adobe to release patch for 0-day in Flash Player

Update: Adobe has released a new version of its Flash Player in APSB16-10. It addresses 22 critical vulnerabilities which can be used to gain code execution and 2 vulnerabilities that can be retrieve memory address information and to bypass a security feature. One of the vulnerabilities CVE-2016-1019 is currently being attacked in the wild in Exploit Kits.

This release is Adobe’s April Patch Tuesday release. We do not expected another release this month. You should patch as quickly as possible, especially on machines that are still running a pre-March version of Flash as these are vulnerable to CVE-2016-1019.

Continue reading …

WAS 4.6 Adds Option to Remove Unused Assets from Subscription when Deprovisioning

Previously when deprovisioning an asset in Qualys Web Application Scanning (WAS) and Web Application Firewall (WAF), we were not able to delete the main asset. This feature has now been added to Qualys WAS and WAF.

Continue reading …