Qualys Blog

Considering that database systems hold extremely valuable and sensitive information, one would assume that most organizations would fiercely protect these “crown jewels” with great care. Unfortunately, that is not the case.

Throngs of databases in organizations worldwide are unsafe, at high risk of being breached by malicious hackers, rogue employees and crooked partners. This sorry state of database security puts financial data, customer information, health records, intellectual property treasures and more in grave danger.

Below we’ll discuss the two main causes for database security breakdowns — unpatched vulnerabilities and configuration errors — along with helpful tips for reducing the risk of database breaches.

Continue reading …

Update: Kaspersky who is credited with finding MS16-006,the critical Silverlight vulnerability just published their story on how the bug was found. Very interesting, has to do with the Hacking Team breach and coding "standards" – take a look at their blog post for more info. They also made clear that this vulnerability is under attack in the wild and that we are looking at a true 0-day here. This changes our priorities – we now put MS16-006 at the top of our list. Take a look at your installations, see if you have Silverlight installed and address the flaw as soon as possible.

Original: The first Patch Tuesday of 2016 turns out to be low in numbers, but broad and packing quite a punch: six of the nine bulletins are rated critical, including the Windows Kernel and Office bulletins. In addition some rather important products are going End-of-Life and get their last patch update today. Microsoft is retiring support for all older browsers on each platform and will from here on only maintain the newest browser on each version of the OS.

Continue reading …

There we are: the last Patch Tuesday of 2015. It turns out to be about average, with maybe a bit more severity in the bulletins than usually. We have eight critical bulletins in the total 12, including one that fixes a 0-day vulnerability, currently in use by attackers to escalate privileges in Windows. 0-days used to be very rare occasions, but this year they have become almost mainstream. After all the year started off with a string of 0-days in Adobe Flash and since then we have seen almost every month a patch for a vulnerability that is already under attack. Definitely a sign of the increasing technical capabilities that attackers are wielding and a reminder that IT Managers should not only patch their systems promptly, but also look for additional robustness. Your list of things to look at in 2016 should include investigation of minimal software installs with the least features enabled, plus an additional piece software such as EMET that enhances robustness.

Continue reading …

Watch Qualys coverage of Microsoft and Adobe Patches – November 2015

And we are back to normal for Patch Tuesday November 2015. Twelve bulletins that cover a wide mix of products from Internet Explorer (MS15-112) to Skype (MS15-123). Last month’s lower number of six bulletins was an anomaly caused by, maybe, the summer vacation? What is not an anomaly but the product of serious security engineering is the pronounced difference between Internet Explorer and Edge patches.

Continue reading …

Patch Tuesday October 2015 turns out to be a light edition. There are only six bulletins, but all of the important products are covered. We have a critical bulletin for Internet Explorer (but not for Edge), a bulletin for Office that has Remote Code Execution (RCE) vulnerabilities, plus Windows Kernel vulnerabilities that allow for Privilege escalation. Plus an interesting issue in Windows shell that allows for RCE as well. Pretty much everybody, meaning all versions of Windows and Office, are affected except this month there are none of the additional software packages with updates (.NET, server software, etc).

Continue reading …

Watch Qualys coverage of Microsoft Patches – September 2015

Hello to Patch Tuesday September 2015: We are ¾ through the year and have broken the 100 bulletin mark with this months 12 additions. We are now projecting over a 145 bulletins until the end of the year, a bit higher than our initial projection from May when said we would be seeing just over 140 bulletins this year.

Continue reading …

It is Windows 10 first Patch Tuesday and 40% of the August bulletins for generic Windows apply to the newest version of the operating system: Windows 10. In addition there is an exclusive bulletin for the new browser Microsoft Edge, the leaner and faster replacement for Internet Explorer that addresses three critical vulnerabilities.  Windows 10 fares a bit better than WIndows 8, which had 60% in its first two months, where three out of five bulletins were applicable. From a security perspective Windows 10 brings much improvement and we are curious to see how the acceptance of Windows 10 will play out, especially comparing the enterprise side and consumer side. On the Enterprise level we think the Virtual Secure Mode that takes credential hashes out of the Windows kernel the biggest advance, while for the consumer it is the new patching schedule, which basically keeps Windows always updated with the latest updates.

Continue reading …

Update5: Adobe has added a second vulnerability to APSA15-04, CVE-2015-5123, which TrendMicro has found. PoC code is available but not integrated into ExploitKits yet.

Update4: Adobe has acknowledged in APSA15-04 another 0-day for Flash originating in the data dump from HackingTeam. Security researcher Webdevil documents his finding in a tweet. Adobe credits Dhanesh Kizhakkian from FireEye who documented the PoC found in the datadump and notified Adobe (first?). Adobe expects to address the vulnerability next week (during normal Patch Tuesday maybe?). According to @Kafeine the vulnerability is already in use in the Angler Exploit Kit.

Update3: Adobe has released the patch for the HackingTeam 0-day, CVE-2015-5119. Beyond that vulnerability the update APSB15-16 also addresses 42 other vulnerabilities of which 27 can be used to reach remote code execution. Users of Google Chrome get their Flash update automatically, as are users of IE11 and IE11 from Microsoft. Users of other browsers needs to install patch manually, i.e. for Firefox, Opera and Safari. Install as quickly as possible to neutralize the exploits that are available in the major ExploitKits already.

In addition Adobe has pre-announced a new version of Adobe Reader (APSB15-15) for next Tuesday that will address critical vulnerabilities as well.

Update2: Adobe acknowledged the bug in APSA15-03 and will make an update available on Wednesday, July 8th. Excellent, quick reaction. Google is credited for reporting the bug now called CVE-2015-5119. Security researcher @kafeine reports that the Angler, Fiddler, Nuclear and Neutrino ExploitsKIts have added CVE-2015-5119 to their lineup. Patch as quickly as possible or think about adding EMET to your workstations.

Update: EMET 4.1 (last available version for XP) in its default configuration takes care of the attack on Windows XP. EMET is a good additional security tool to install once you are fully patched. It monitors for certain attack patterns and neutralizes them – if the exploit uses any of the common ways to execute shellcode EMET users have a good chance to get away unharmed.

Continue reading …