Back to qualys.com
1268 posts

Meltdown/Spectre: Intel Nixes Patches, Tech CEOs Questioned on Information Blackout

IT departments and tech vendors continued grappling with Spectre and Meltdown this week, as Intel pulled its glitchy patches and the U.S. Congress questioned the vulnerability disclosures’ timing and scope.

Spectre and Meltdown aren’t typical vulnerabilities for a number of reasons, and as a result, they’ve proven problematic to deal with. Intel, whose products are the most impacted, has had a particularly rocky time crafting its firmware updates for mitigating the bugs.

Continue reading …

Qualys Cloud Suite 8.12 New Features

Qualys Policy Compliance badgeThis new release of the Qualys Cloud Suite, version 8.12 adds new reporting options for the PC Report, allowing you to include new summaries in the remediation section of the report for control failures.

Continue reading …

Meltdown and Spectre Aren’t Business as Usual

The new year brought a new vulnerability type — the CPU-based Meltdown and Spectre bugs — that’s forcing vendors and IT departments to modify long-standing ways of identifying threats, prioritizing remediation, managing patches and evaluating risk.

“Meltdown and Spectre are different vulnerabilities from what you’re used to seeing,” Jimmy Graham, a Product Management Director at Qualys, said during a webcast on Wednesday.

As a result, it’s essential for organizations to fully understand the nature of these vulnerabilities, stay on top of the latest information, and analyze the vulnerabilities’ impact in their IT environments, in order to stay as safe as possible.

“It’s not a simple [process] of just install a patch and you’re done,” he said.

Continue reading …

Meltdown / Spectre Mitigation Is a Work in Progress

Since researchers disclosed the Meltdown and Spectre vulnerabilities on Jan. 3, vendors and IT departments have been consumed trying to figure out how to properly address the potentially devastating effects of these kernel-level bugs.Meltdown Spectre Mitigation is a Work in Progress

By now, one thing we know for sure is that dealing with the vulnerabilities is a moving target. This situation is compounded by the fact that they have broad implications and that every day seems to bring new, relevant information that must be factored into ongoing mitigation efforts.

Thus, it’s important to stay on top of the latest developments, so we’re providing a snapshot of what we know to date, how Qualys can help and and what InfoSec teams can do. We’re also tracking a list of Qualys resources.

Continue reading …

Continuous Security & Compliance Webcast Series

This webcast series shows you how to effectively navigate security risks, new regulations and new technologies in support of a secure and compliant digital transformation. Qualys product managers walk you through the new features of Qualys Cloud Platform and Apps and show you how to get maximum leverage across eight critical areas.

Expert speakers will present and demonstrate how to:

Continue reading …

Qualys Policy Compliance Notification: Policy Library Update

Policy LibraryQualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from vendors such as Microsoft and VMware.

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library every month.

This release includes the following new policies and updates:

  • New CIS policies for Internet Explorer and Chrome on Windows, Apache Tomcat, RHEL, Windows 10, Sybase ASE, and MongoDB
  • New DISA STIG policies for Internet Explorer 10 and 11
  • New Best Practice & Mandate Policies for SAP ASE 16 and HiTRUST CSF on Linux
  • Several updates to existing library policies

Continue reading …

January Patch Tuesday – Meltdown/Spectre, 16 Critical Microsoft Patches, 1 Adobe Patch

Due to the disclosure of Meltdown and Spectre, Microsoft released several patches last week with the ranking “Important.” While there are no active attacks against these vulnerabilities, a special focus should be placed on any of the browser patches, due to potential attacks using JavaScript.

Continue reading …

Meltdown/Spectre and Qualys Cloud Platform

In light of the recently released information about two security vulnerabilities, Qualys has considered the impact on the Qualys Cloud Platform and associated services. Qualys released a detailed advisory for customers of the Qualys Cloud Platform to help customers identify these vulnerabilities and to assist customers in their internal security assessment.  

Below, please find information about how Qualys has performed its assessment and is taking steps to protect its environment and the Qualys Cloud Platform:

Continue reading …

PCI DSS v3.2 & Private IP Address Disclosure

PCI DSS v3.2 logoPrivate IP addresses disclosure such as QID 86247 “Web Server Internal IP Address/Internal Network Name Disclosure Vulnerability” will be marked as a Fail for PCI as of February 1, 2018 in accordance with PCI DSS v3.2.

Continue reading …

Visualizing Spectre/Meltdown Impact and Remediation Progress

In order to determine the impact of Spectre/Meltdown and track remediation progress across your entire environment, it is important to visualize vulnerability detections in a dynamic dashboard. For more information on Spectre and Meltdown, please see our previous blog.

Using Qualys AssetView, we have created a dashboard with preloaded widgets that can help track remediation progress as you patch against Spectre and Meltdown. These widgets were built with out-of-the-box functionality, and can be imported into any Qualys subscription.

Continue reading …