patching – Page 13 – WindowsTechs.com

On Vulnerability-Adjacent Vulnerabilities

Posted on February 15, 2021 by Bruce Schneier

At the virtual Enigma Conference, Google’s Project Zero’s Maggie Stone gave a talk about zero-day exploits in the wild. In it, she talked about how often vendors fix vulnerabilities only to have the attackers tweak their exploits to work again. From a MIT Technology Review article:

Soon after they were spotted, the researchers saw one exploit being used in the wild. Microsoft issued a patch and fixed the flaw, sort of. In September 2019, another similar vulnerability was found being exploited by the same hacking group.

More discoveries in November 2019, January 2020, and April 2020 added up to at least five zero-day vulnerabilities being exploited from the same bug class in short order. Microsoft issued multiple security updates: some failed to actually fix the vulnerability being targeted, while others required only slight changes that required just a line or two to change in the hacker’s code to make the exploit work again…

Continue reading On Vulnerability-Adjacent Vulnerabilities→

Safer Internet Day – Why not up your game?

Posted on February 9, 2021 by Sally Adam

Four tips for Safer Internet Day Continue reading Safer Internet Day – Why not up your game?→

The Linux Flaw you can’t afford to Ignore (CVE-2021-3156)

Posted on February 5, 2021 by SecurityExpert

Linux and Unix operating systems require regular patching like any IT system, but as security professionals, ethical hackers, and criminal hackers will tell you, regular Linux and Unix patching is often neglected.

CVE-2021-3156 sudo Vulnerability
Last… Continue reading The Linux Flaw you can’t afford to Ignore (CVE-2021-3156)→

February 2021 Patch Tuesday forecast: The human communication aspect

Posted on February 5, 2021 by Help Net Security

We spend a lot of time each month discussing the technical details surrounding vulnerabilities, software updates, and the tools we use for patch management in our organizations. But in the end, the success of patch management is dependent on the coordi… Continue reading February 2021 Patch Tuesday forecast: The human communication aspect→

Bad patching practices are a breeding ground for zero-day exploits, Google warns

Posted on February 3, 2021 by Sean Lyngaas

Customers of major software vendors take comfort whenever a vendor issues a security fix for a critical software vulnerability. The clients expect that software update to keep attackers from stealing sensitive information. But new data from Google’s elite hacking team, Project Zero, suggests that assumption is misplaced. One in four “zero-day,” or previously unknown, software exploits that the Google team tracked in 2020 might have been avoided “if a more thorough investigation and patching effort were explored,” Project Zero researcher Maddie Stone said Wednesday. In some cases, the attackers only changed a line or two of code to turn their old exploit into a new one. Many of the zero-day exploits were for popular internet browsers like Chrome, Firefox or Safari, exposing an array of users around the world. Project Zero’s sample size is modest, covering just 24 exploits in all. But the data points to a need for greater […]

The post Bad patching practices are a breeding ground for zero-day exploits, Google warns appeared first on CyberScoop.

Continue reading Bad patching practices are a breeding ground for zero-day exploits, Google warns→

Backdoor in Zyxel Firewalls and Gateways

Posted on January 6, 2021 by Bruce Schneier

This is bad:

More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel.

[…]

Installing patches removes the backdoor account, which, according to Eye Control researchers, uses the “zyfwp” username and the “PrOw!aN_fXp” password.

“The plaintext password was visible in one of the binaries on the system,” the Dutch researchers said in a report published before the Christmas 2020 holiday…

Continue reading Backdoor in Zyxel Firewalls and Gateways→

NIST SP 800-128 – Because Patching May Never Fix Your Hidden Flaws

Posted on January 6, 2021 by Bob Covello

Over the last few years, the idea of patching systems to correct flaws has graduated from an annoying business disruption to a top priority. With all of the notorious vulnerabilities that can wreak total havoc, the time it takes to patch becomes a mino… Continue reading NIST SP 800-128 – Because Patching May Never Fix Your Hidden Flaws→

Cloud is King: 9 Software Security Trends to Watch in 2021

Posted on December 18, 2020 by Becky Bracken

Researchers predict software security will continue to struggle to keep up with cloud and IoT in the new year. Continue reading Cloud is King: 9 Software Security Trends to Watch in 2021→

Developer requests dev systems don’t have .Net patches applied

Posted on December 9, 2020 by mdxx_

Looking for some guidance on an internal discussion we’re having.
We have a .Net developer that is requesting all development systems with Visual Studio installed don’t have .Net updates installed. The reasoning is that it breaks Visual St… Continue reading Developer requests dev systems don’t have .Net patches applied→

The Dangers of Security Vulnerability Scoring Dependency

Posted on December 8, 2020 by SecurityExpert

Article by Nathan King, Director, Cyberis
Vulnerability scoring has an important role in most enterprise threat and vulnerability management programmes because it provides multiple benefits to internal security teams when identifying any weaknesses. Ad… Continue reading The Dangers of Security Vulnerability Scoring Dependency→