Qualys Blog

www.qualys.com
1170 posts

Qualys Cloud Platform 2.26 New Features

This release of the Qualys Cloud Platform version 2.26 includes updates and new features for Cloud Agent, AssetView, Security Assessment Questionnaire and Web Application Scanning as follows:

Continue reading …

Oracle Plugs Struts and Shadow Brokers hole along with 299 Total Vulnerabilities

Today Oracle released a total of 299 new security fixes across all product families. It is important to note that it fixed 25 instances of the infamous Apache Struts vulnerability which could allow a remote attacker to take complete control of the server running Struts. The struts fix was applied to 19 instances of Oracle Financial Services Applications along with WebCenter, WebLogic, Siebel, Oracle Communications, MySQL and Oracle Retail.

Oracle also released Patch 25878798 for Solaris 10 and 11.3 which fixed the second Shadow Brokers EXTREMEPARR vulnerability CVE-2017-3622. EXTREMEPARR  has a CVSS Base Score of 7.8, and if successfully exploited allows a local privilege escalation in the ‘dtappgather’ component. The other Shadow Brokers vulnerability CVE-2017-3623 (a.k.a. “Ebbisland” or “Ebbshave”) was previously addressed by Oracle in several Solaris 10 patch distributions issued since January 26th 2012 and does not affect Solaris 11.

Out of the 299 total fixes MySQL, Financial Services, Retail and Fusion Middleware take the lion’s share of fixes and the distribution is shown in the chart below. Majority of the vulnerabilities in the Financial Services, Retail and Fusion Middleware could be exploited via the HTTP protocol and attackers can take complete control of the system remotely without the need of any credentials.

Continue reading …

PCI DSS v3.2 & Migrating from SSL and Early TLS v1.1

SSL & Early TLS vulnerabilities such as QID 38628 “SSL/TLS Server supports TLSv1.0”\ will be marked as a Fail for PCI as of May 1, 2017 in accordance with the PCI DSS v3.2.  For existing implementations, merchants will be able to submit a PCI False Positive / Exception Request and provide proof of their Risk Mitigation & Migration Plan, which will result in a pass for PCI until June 30, 2018.

Continue reading …

The Shadow Brokers Release Zero Day Exploit Tools

On Friday, a hacker group known as The Shadow Brokers publicly released a large number of functional exploit tools. Several of these tools make use of zero-day vulnerabilities, most of which are in Microsoft Windows. Exploiting these vulnerabilities in many cases leads to remote code execution and full system access.

Both end-of-support and current Windows versions are impacted, including Windows 2003, XP, Vista, 7, 2008, 8, and 2012. Microsoft has released patches for each vulnerability across all supported platforms, but will not be releasing patches for end-of-support versions of Windows. It is highly recommended that any end-of-support Windows systems be replaced or isolated, as these systems will often be impacted by new vulnerabilities, without the availability of a patch.

For zero-day vulnerabilities in Operating Systems, you can use your existing asset inventory information from Qualys AssetView, and search for any OS to determine how many vulnerable assets are deployed. This can be done without additional scanning if the data is relatively fresh.

Continue reading …

April 2017 Patch Tuesday Video Highlights

Microsoft Fixes 45 Vulnerabilities with new Security Update Guide and says goodbye to Security Bulletins. Adobe Fixes Flash, PDF reader and Photoshop.

Microsoft Fixes 45 Vulnerabilities with new Security Update Guide – says goodbye to Security Bulletins

Today is the first month since 1998 in which Microsoft stopped releasing security bulletins with the familiar MSxx-xxx format and replaced it with the new security update guide. We talked about this change earlier in a few blog posts and finally today it’s time to say good bye to security bulletins which essentially combined related vulnerabilities and products for easy of consumption.

In today’s release Microsoft fixed a total of 45 vulnerabilities that could lead to remote code execution, denial-of-service, elevation of privileges, security feature bypass and spoofing. Top priority goes to the Office and WordPad CVE-2017-0199 which fixed a 0-day vulnerability that is being actively exploited in the wild. Exploitation of this vulnerability requires that a user open or preview a specially crafted file with an affected version of Office or WordPad. Attacker could accomplish this by sending a specially crafted file to the user and then convincing the user to open the file. We recommend administrators patch this as soon as possible.

Continue reading …

Adobe Fixes Flash, PDF reader and Photoshop in April

Adobe released five security bulletins today following a pre-notification which was released on Thursday of last week. Highest priority goes to the Flash update APSB17-10 as flash has been the top choice for malware and exploit kits. If left un-patched, the vulnerabilities allow attackers to take complete control of user’s computer if the user views malicious flash content hosted by the attacker. Although flash based exploit kit activity has reduced as compared to last year we still recommend updating this first. The affected versions are listed in the table below:

Continue reading …

IT Asset Inventory Systems and CMDBs: A Marriage Made in InfoSec Heaven

A key capability of an IT asset inventory system is being able to exchange data with CMDBs (Configuration Management Databases). In fact, a common misconception is that organizations with CMDBs don’t need an IT asset inventory system because their functions overlap. While they have similar roles, each one plays a different and important part, and they complement each other.

Continue reading …

SANS 2017 Cybersecurity Trend Report Checklist

The SANS Institute recently released its 2017 report on cybersecurity trends. We examined the report’s six threat trends in a recent blog post, as well as in a webcast with the report’s author, security analyst John Pescatore, and with Qualys Product Management Vice President Chris Carlson. Now, we’re providing you with a useful checklist to help put you in a better position to respond these trends, which are expected to continue to dominate this year.

Continue reading …

SSL Labs Distrusts WoSign and StartCom certificates

In the second half of 2016, a series of events unfolded that culminated with something many didn’t think was possible (or at least thought very unlikely): a public CA was distrusted. The CA in question was WoSign, a Chinese CA who made some waves by offering free certificates back in the day, before Let’s Encrypt came onto the scene. To make the case even more remarkable, another CA—StartCom—was distrusted at the same time. These were CAs with substantial installed user bases, largely because both had offered free certificates.

Continue reading …