June’s Patch Tuesday is lighter weight compared to previous months. In all, 51 unique CVEs are addressed, with 11 CVEs marked as Critical. Adobe also released an out-of-band update for a Flash Player vulnerability last week, which is being actively exploited.
Today’s Patch Tuesday is smaller than last month, but there are more critical updates this time. Out of the 63 vulnerabilities covered by the Microsoft patches, 22 of them are critical. Adobe has released 6 bulletins covering 19 vulnerabilities. According to Microsoft and Adobe, there are no active attacks against these vulnerabilities.
The majority of the Microsoft critical vulnerabilities are in browsers and browser-related technologies. It is recommended that these be prioritized for workstation-type devices. Any system that accesses the Internet via a browser should be patched.
Today’s Patch Tuesday covers a lot of vulnerabilities, but in terms of critical updates, it is still light. Out of the 75 vulnerabilities covered, only 15 are marked as critical. Adobe has released patches as well, covering 7 vulnerabilities.
All of the critical vulnerabilities from Microsoft are in browsers and browser-related technologies. It is recommended that these be prioritized for workstation-type devices. Any system that accesses the Internet via a browser should be patched.
For this month’s Patch Tuesday, Microsoft has released patches covering 55 vulnerabilities, with 15 ranked as critical. This includes out-of-band Office patches from mid-January as well as patches for Adobe Flash that were released last week.
From this list, there are patches for a vulnerability (CVE-2018-0825) that impacts StructuredQuery in Windows servers and workstations. Exploitation of this vulnerability would be through a malicious file and would lead to remote code execution. This patch should be at the top of the priority list, aside from the Adobe Flash patches mentioned below.
UPDATE 1/4/2018: Qualys has released several QIDs for detecting missing patches for these vulnerabilities.
UPDATE 1/5/2018: Pre-built AssetView dashboards to visualize impact and remediation progress.
Vulnerabilities potentially impacting all major processor vendors were disclosed today by Google Project Zero. These vulnerabilities have been named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715). Organizations should inventory their systems by processor type, apply vendor patches as they become available, and track their progress. This article describes how Qualys can help in all three areas.
A new zero-day vulnerability (CVE-2017-7269) impacting Microsoft IIS 6.0 has been announced with proof-of-concept code. This vulnerability can only be exploited if WebDAV is enabled. IIS 6.0 is a component of Microsoft Windows Server 2003 (including R2.) Microsoft has ended support for Server 2003 on July 14, 2015, which means that this vulnerability will most likely not be patched. It is recommended that these systems be upgraded to a supported platform. The current workaround is to disable the WebDAV Web Service Extension if it is not needed by any web applications.
The Qualys Cloud Platform can help you detect the vulnerability, track and manage Server 2003 Assets, as well as block exploits against web-based vulnerabilities like this one.
An Interview with SSL Expert and SSL Labs Founder Ivan Ristić
Even though SSL/TLS is critical for the privacy, integrity, and security of internet communications, the protocol is implemented in an optimal way in only a small percentage of web servers, meaning that most websites and web apps aren’t as secure as they could be.
It doesn’t have to be that way, which is why Ivan Ristić, a security researcher, engineer, and author known for his expertise on various aspects of InfoSec, has spent years contributing to the field of SSL/TLS.
He launched SSLLabs.com in 2009 to provide SSL/TLS tools, research and documentation, brought it with him when he joined Qualys in 2010, and ran it until mid-2016, when he became an advisor. Under his leadership, SSLLabs.com became a de-facto standard for secure server assessment and the go-to site for organizations looking for help improving their SSL/TLS configurations.
Ristić also wrote an entire book about the topic titled “Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications.” We recently had a chance to catch up with Ivan and pick his brain about SSL/TLS challenges, best practices and trends. Here’s what he told us.
Organizations that use automated scanners to test the security of their web apps must watch out for instances where these tools may trigger user account lockouts inadvertently. Here we explain why this occurs and offer some tips for how to prevent this from happening with Qualys Web Application Scanning (WAS).
Cross-Site Request Forgery (CSRF) is an attack that tricks the victim’s browser into executing malicious requests designed by the attacker. A successful CSRF attack can force the victim’s browser to perform state-changing requests like transferring funds or changing his email address. Clearly these are attacks that need to be prevented.
Qualys is proud to announce that it was named Best Security Company earlier this week at the 2014 SC Magazine Awards. The awards acknowledge companies with superior security products that help customers tackle today’s most pressing information-technology (IT) challenges. The announcement was made on February 25, 2014 at the 17th annual SC Awards U.S. Gala in San Francisco, in conjunction with the annual RSA Conference. The criteria for the judging included: product line strength, customer base, customer service/support, research and development, and innovation.
“The SC Awards are the security industry’s most prestigious accolade, bestowed only to the most impressive companies in the security industry,” said Illena Armstrong, VP of editorial, SC Magazine. “Qualys can be very proud of this achievement and the many long hours of dedicated service that it represents.”
“We are honored to be named the Best Security Company by SC Magazine,” said Philippe Courtot, chairman and CEO, Qualys. “We share this honor with our customers and partners, who throughout the years, have been our guiding force to continue improving our existing cloud-based security and compliance solutions and design new innovative ones.”
Qualys also won the award for SC Award for Best Security Company in 2011. Read the full news release.