Tag: Vulnerabilities

  • Microsoft, CVE, MITRE, ETERNALBLUE, Headache…

    2019-02-14 Update: Thanks to Chris Mills @ MSRC (@TheChrisAM), who has been working behind the scenes since this blog was published, he has brought clarity to these assignments! MSRC is still potentially touching up some additional documentation to make it easier to see these associations, but here is the definitive answer from him: CVE-2017-0143 ShadowBrokers…

  • New libssh Vulnerability – No Logo But Plenty Of Attention

    [This was originally published on RiskBasedSecurity.com.] Earlier this week, Andreas Schneider announced the release of a new version of libssh, covering “an important security” that addressed “an authentication bypass vulnerability in the server code”. Pretty quickly we saw several news articles published that covered this issue, as well as third-party blogs that added commentary on the technical side of the vulnerability. Since we were following the…

  • RIP CERT.org – You Will Be Missed

    [This was originally published on RiskBasedSecurity.com.] On February 22, Will Dormann tweeted that the main CERT Coordination Center (CERT/CC) website (www.cert.org) had been shuttered. Upon checking ourselves we found the website now redirecting to the Software Engineering Institute at Carnegie Mellon, the parent group of CERT. As a 14-year veteran at CERT/CC, Dormann understandably had some feelings about the…

  • Researchers Find One Million Vulnerabilities?!

    [This was originally published on RiskBasedSecurity.com.] No researcher has yet claimed to find one million vulnerabilities, but we are sure to see that headline in the future. Every so often we see news articles touting a security researcher who found an incredible number of vulnerabilities in one product or vendor. Given that most disclosures involve…

  • Analysis Of The RANDom Report on Zero-days and Vulnerability Rediscovery

    [This was originally published on RiskBasedSecurity.com.] On March 9, 2017, RAND released a report (PDF) titled “Zero Days, Thousands of Nights; The Life and Times of Zero-Day Vulnerabilities and Their Exploits” by Lillian Ablon and Andy Bogart that received a fair amount of press. The RAND press release goes on to describe it as “the first publicly available research to…

  • The Steady Rise of Bounty Programs, and the Counterpart

    [This was originally published on RiskBasedSecurity.com.] Companies that once said they would not pay for vulnerability information seven years ago, have been steadily expanding their program to pay for more and more vulnerability information and recently made Edge bounties permanent.  Service-oriented companies like Uber, that rely on a significant amount of user interaction and transactions via mobile apps, also utilize…

  • Electronic Voting; an Old but Looming Threat

    [This was originally published on RiskBasedSecurity.com.] As everyone on the planet knows, U.S. politics are in full swing with primaries almost every week and an upcoming presidential election in November of this year. At Risk Based Security we find it curious that one of the most dangerous topics seems to evade the 24-hour a day…

  • Badlock: The Day of Reckoning [Update #4]

    Badlock: The Day of Reckoning [Update #4]

    [This was originally published on the RBS Blog.]. Word circulated earlier today that Badlock would be revealed at 1PM EST, which is curious given that Microsoft’s “Patch Tuesday” releases are not always public by that time. Almost ten minutes before 1PM, word of the patches being public were making the rounds. The three patches and associated…

  • Badlock: All Quiet on the Disclosure Front [Update #3]

    Badlock: All Quiet on the Disclosure Front [Update #3]

    [This was originally posted on the RBS blog.] With a week to go before the hyped Badlock vulnerability gets disclosed (with patches finalyl!), it has been mostly quiet as far as any further detail or insight. In the fourteen days since it was first announced, MITRE has still not seen fit to issue a CVE identifier for…

  • Badlock: The Day After [Update #2]

    Badlock: The Day After [Update #2]

    Late last night, Steve Ragan published an article on the CSO Salted Hash blog titled “Company behind the Badlock disclosure says pre-patch hype is good for business“, immediately taking SerNet to task over their handling of the disclosure so far. One of the more telling parts of his article came during a conversation between Sean…