This month’s Microsoft Patch Tuesday addresses 88 vulnerabilities with 21 of them labeled as Critical. Of the 21 Critical vulns, 17 are for scripting engines and browsers, and 3 are potential hypervisor escapes in Hyper-V. The remaining vulnerability is an RCE in the Microsoft Speech API. Microsoft also issued guidance on Bluetooth Low Energy FIDO keys, HoloLens, and Microsoft Exchange. Adobe issues patches today for Flash, ColdFusion, and Campaign.
A vulnerability affecting the official Alpine Docker images version >=3.3 contains a null password for the root user. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container that utilize Linux PAM, or some other mechanism that uses the system shadow file as an authentication database, may accept a NULL password for the root user.
The training sessions provide both offensive and defensive skills that security pros can use to tackle critical threats affecting applications, IoT systems, cloud services, and more. Meanwhile, the briefing sessions feature cutting-edge research on the latest infosec risks and trends. All sessions are led by expert trainers and researchers.
To help attendees decide which sessions to choose, we’ve selected ten that we think will be particularly relevant and valuable for Qualys customers, and we’ll highlight one each week here on our blog. Here’s our first recommendation: Advanced Cloud Security And Applied Devsecops.
This highly technical course delves deep into practical cloud security and applied DevSecOps for enterprise-scale cloud deployments, and focuses on IaaS and PaaS.
“Real-world cloud security is most definitely not business as usual. The fundamental abstraction and automation used to build cloud platforms upends much of how we implement security. The same principles may apply, but how they apply is dramatically different, especially at enterprise scale,” reads the course abstract.
The rise of sophisticated attacks combined with the security-skills shortage have driven many organizations to go back to basics and review their processes for vulnerability and patch management. The approach is definitely a winning one, given that shrinking and managing the vulnerability surface makes it harder to target and compromise.
Assessing the attack surface requires strengthening key capabilities, such as increasing visibility across the IT landscape and improving the detection, prioritization and remediation of vulnerabilities at scale. Qualys has been boosting these capabilities for its customers over the last two decades.
Read on to learn how Qualys is addressing enterprises’ patch management challenges with integrated breach prevention that includes its new Patch Management cloud application.
Vulnerabilities that vendors have disclosed and issued patches for remain a major source of breaches. Why? Too many organizations take too long to deploy those patches — or never do.
That was the case with WannaCry. The ransomware exploited Windows vulnerability MS17-010, which Microsoft disclosed in mid-March 2017, rating it “Critical” and issuing a patch for it. The attacks began two months later. It was only then that most affected organizations began to install the patch. When the dust cleared, WannaCry had infected 300,000-plus systems, disrupting critical operations globally.
So why does this baffling problem persist?
As is true for most IT and security challenges, the patch management problem and its solution depend on a combination of the technology being used and of the processes in place.
Read on to learn about patch management best practices, and about Qualys’ new patch management cloud app.
We were recently made aware of a user enumeration issue on the login page of SumTotal’s training website, a learning management solution that Qualys uses for its training and certification site. Upon learning of the issue, we immediately worked through the vendor to get it fixed. The training website is completely segregated from the Qualys Cloud Platform; therefore, no customer data was ever at risk or compromised.
This new release of the Qualys Cloud Platform (VM, PC), version 8.19.1, includes newly added technology support for HP Safeguard and CISCO ACS 5, collected via Qualys Out-of-Band Configuration Assessment.
Visibility and control of digital certificates remains a challenge for even the largest enterprises, as evidenced by a high profile incident this week affecting Microsoft’s LinkedIn. Users accessing LinkedIn on Tuesday got a warning from their browsers alerting them about an insecure connection. The culprit: An expired TLS certificate.
In a statement to the press, LinkedIn said it experienced a “brief delay” in updating a digital certificate, and stated that member data wasn’t affected. Yet, the incident spotlights a nagging issue that frequently trips even the most technically savvy companies in the world: Digital certificate management.
Qualys SSL Labs’ SSL Pulse, which monitors the quality of SSL/TLS support across 150,000 of the most popular websites in the world, rated about 33% of the sites monitored as having inadequate security in its May report. A few thousand of these sites had expired certificates.
Is your security team struggling to decide which projects will slash risk the most without breaking the bank? If so, we believe your security leaders can end analysis paralysis by perusing Gartner’s “Top 10 Security Projects for 2019” report. As its title states, the report recommends ten security projects for 2019, and the projects selected are supported by technologies available today, address the changing needs of cybersecurity and support what Gartner calls a CARTA (Continuous Adaptive Risk and Trust Assessment) strategic approach through risk prioritization.
Below we highlight five of the projects, provide Gartner’s take, offer our opinion, and explain how Qualys can help you implement them.
This month’s Microsoft Patch Tuesday included a very high-risk vulnerability (CVE-2019-0708, aka BlueKeep) in Remote Desktop that impacts Windows XP, Windows 7, Server 2003, Server 2008, and Server 2008 R2. This vulnerability allows an unauthenticated attacker (or malware) to execute code on the vulnerable system. It is very likely that PoC code will be published soon, and this may result in a WannaCry-style attack.
UPDATE: Network Level Authentication (NLA) partially mitigates this vulnerability. QID 90788 (Microsoft Windows Network Level Authentication Disabled) can be used to find hosts that have NLA disabled. This forces the attacker to have valid credentials in order to perform RCE.
UPDATE: A new remote (unauthenticated) check was released under QID 91541. See below for details.