Collaborate Disseminate
While CISA says the catalog is catching on, some think it needs improvement.
The post How CISA’s list of “must-patch” vulnerabilities has expanded in both size, and in who’s using it appeared first on CyberScoop.
The Cybersecurity and Infrastructure Security Agency is ordering federal agencies to patch nearly 300 known, exploited vulnerabilities in a directive published Wednesday. It’s a change from past practice for Binding Operational Directives from the Department of Homeland Security’s main cyber wing. The orders have focused more frequently on one major vulnerability at a time, or have directed agencies to set up broader policies addressing subjects like establishing vulnerability disclosure programs. As rationale, the agency pointed to issues in Microsoft Exchange technology that suspected Chinese hackers seized upon to target victims worldwide in early 2021. Under the order, agencies must patch vulnerabilities from a CISA-created catalog by dates that range from two weeks for flaws observed this year to six months for those prior. Further, agencies must build a process for fixing such vulnerabilities on an ongoing basis in the future. CISA said the directive is a response to its belief […]
The post CISA tells agencies to fix hundreds of software flaws, prep for future vulnerabilities appeared first on CyberScoop.
An organization can’t — and shouldn’t — care about each of the thousands of software vulnerabilities that are made public each year. A bug in a public-facing web browser probably won’t matter a lick for the control systems at an energy plant; an accounting firm can ignore a vulnerability in industrial computers it doesn’t use. Yet for some organizations, it’s an ongoing struggle to understand how a software bug might impact their business. On Wednesday, cybersecurity company Rapid7 took a stab at the issue by going public with a project that uses crowd-sourced feedback to rate vulnerabilities. The company invited security professionals of all stripes to use a web platform, known as Attacker Knowledge Base (KB), to assess the impact of a vulnerability to an organization, starting with a simple question: What could a malicious hacker do with the bug? The answers rate how easy it would be for a hacker to weaponize a vulnerability or what level of […]
The post In search of a B.S. filter for software bugs appeared first on CyberScoop.
Continue reading In search of a B.S. filter for software bugs
Open source bugs have skyrocketed, according to a report from WhiteSource, with XSS flaws account for a quarter of those bugs. Continue reading Open source bugs have soared in the past year
Prolific Google bug hunter Guang Gong earns highest ever Android Security Rewards payout. Continue reading Google Awards Record $112,500 Bounty for Android Exploit Chain
Hackers using a specially crafted XLS files can trigger several remote code execution vulnerabilities in the LibXL library. Continue reading Multiple Vulnerabilities in LibXL Library Open Door to RCE Attacks