Articles about vulnerability

Known vulnerabilities for which patches have already been made available are the primary vehicle for cyberattacks, according to a report released today by Tenable.

The Tenable Research team analyzed cybersecurity events, vulnerabilities and trends throughout 2022, including 1,335 data breach incidents publicly disclosed between November 2021 and October 2022.

Continue reading →

A new study, based on the results of more than 1,700 audits of commercial and proprietary codebases involved in merger and acquisition transactions, finds 84 percent contain at least one known open source vulnerability, an increase of almost four percent from last year.

The Open Source Security and Risk Analysis (OSSRA) report, produced by the Synopsys Cybersecurity Research Center (CyRC), shows growing use of open source. In the education technology sector it's grown by 163 percent, with educational courses and instructor/student interactions increasingly pushed online.

Continue reading →

Research from Salt Labs has highlighted two API security vulnerabilities discovered within BrickLink, a digital resale platform owned by The LEGO Group.

BrickLink is the world's largest online marketplace to buy and sell second-hand LEGO. The API security flaws could have allowed for both large-scale account takeover (ATO) attacks on customers' accounts and server compromise to allow bad actors to take control of accounts and steal personal details.

Continue reading →

Google has announced a new tool designed to help identify vulnerabilities in open source software.

The OSV-Scanner is described as a frontend to the existing OSV (open source vulnerabilities) database and one of the aims is to alert developers to security issues in the code their projects depend on.

Continue reading →

New research from Rezilion finds that there's a high level of inaccuracies and noise created by the market's most popular commercial and open-source scanning technologies.

Researchers examined 20 popular containers on DockerHub, ran them locally, and scanned them using six different, popular vulnerability scanners in the commercial and open-source market. Taking false negatives into account the scanners returned only 73 percent of relevant results out of all vulnerabilities that should have been identified, including those the scanners failed to detect.

Continue reading →

With more open source being consumed than ever before, attacks targeting the software supply chain have increased too, both in frequency and complexity. A new report reveals a 633 percent year on year increase in malicious attacks aimed at open source in public repositories -- this equates to a 742 percent average yearly increase in software supply chain attacks since 2019.

The latest State of the Software Supply Chain Report from Sonatype, released today at the DevOps Enterprise Summit, also finds that 96 percent of open source Java downloads with known-vulnerabilities could have been avoided because a better version was available, but was ignored.

Continue reading →

Since Microsoft acknowledged the existence of two actively exploited zero-day vulnerabilities in Exchange Server, security experts were quick to point out that the company was providing bad advice in response.

The URL blocking recommended by Microsoft was found to be sadly lacking, and hackers could easily bypass it. Now Microsoft has provided updated mitigation advice, as well as providing automated protection options.

Continue reading →

In this article, I will try to answer several important questions related to identifying, classifying, prioritizing, and eliminating vulnerabilities in a timely manner, as well as how to automate the vulnerability management process.

Let me start the article by defining the classic process of finding and eliminating vulnerabilities.

Continue reading →

Every year, thousands of code vulnerabilities are discovered, patched and publicly disclosed to improve security for current and potential users.

But many of these vulnerabilities share common features, so what can developers do to write better code that prevents vulnerabilities from entering their apps and services in the first place? We talked to Johannes Dahse, head of R&D at clean code specialist SonarSource, to find out. 

Continue reading →

Google is not alone in offering so-called bug bounty programs which give financial incentives to contributors to track down vulnerabilities and security issues in its software. Now the company has launched a new initiative called the Open Source Software Vulnerability Rewards Program (OSS VRP).

As the name suggests, this new program focuses on Google's open source projects. The company is offering rewards of between $100 and $31,337, depending on the severity of the vulnerability.

Continue reading →

Six months after the Log4Shell vulnerability was made known, vulnerable instances remain accessible on the internet and people attempting to exploit them according to the latest Trustwave SpiderLabs Telemetry report.

Using data gathered from the Shodan device search engine, the report shows that as of June 9, 2022, 1,467 instances were vulnerable to Log4Shell. These vulnerable instances are from the Russian Federation, United States, and Germany with 266 (18 percent), 215 (15 percent), and 205 (15 percent) hosts, respectively.

Continue reading →

Despite the fast changing nature of the world of cybersecurity, it seems that when it comes to vulnerabilities there's still a place for the golden oldies.

New research by Rezilion find that more that 4.5 million internet-facing devices are still vulnerable to vulnerabilities discovered between 2010 to 2020. What's more, for most of these vulnerabilities, active scanning/exploitation attempts have taken place in the past 30 days too.

Continue reading →

The latest vulnerability intelligence report from Flashpoint finds that 52 percent of all vulnerabilities reported in the first half of 2022 that were scored 10.0 -- the most severe level -- on CVSS are likely scored incorrectly.

When scoring, CVSSv2 guidelines take a 'score for the worst' approach if details of some of the metrics used are unclear. But the report points out this has resulted in many vulnerabilities being scored a 10.0, even though they are actually less severe, simply due to vendors providing fewer details.

Continue reading →

The threat landscape facing enterprises is changing constantly. In recent months, major vulnerabilities like Log4j and malware-based threats have demonstrated the need for organizations to move quickly in order to defend themselves.

Is the best way to stay on top of the most pressing threats to harness the power of the global cybersecurity community for defense in a sort of cyber NATO? We talked to SOC Prime CEO Andrii Bezverkhyi to find out.

Continue reading →

Yesterday we wrote about a zero-day vulnerability called Follina which allows for remote code execution on a victim's computer. While the flow -- tracked as CVE-2022-30190 -- has been described as an Office vulnerability, it is really the result of a security issue with a component of Windows.

A problem exists in the Microsoft Windows Support Diagnostic Tool (MSDT) which is found in all supported versions of Windows, including Windows 11. The vulnerability has been billed as an Office vulnerability as using a malicious Word file is one of the easiest attack vectors to exploit the flaw. But what is worrying about the vulnerability, apart from the fact that Microsoft has not fixed it yet, is that the company was made aware of the fact that it was being actively exploited way back on April 12.

Continue reading →