Vulnerability Update, February 17, 2015
The Vulnerability Update from Secunia
- Total number of new vulnerabilities in the Top 20* over the 3 month period: 1,357
- Vendor with most vulnerable products in the 3 month period: IBM
- Product with the most vulnerabilities: X.Org XServer
And 2015 is off – two Adobe Flash zero-days in January
There were two zero-days in the first month of 2015 in Adobe Flash (and one at the beginning of February) in a widely used application for businesses and private users alike. It’s been a dramatic start to 2015, which looks to be picking up where 2014 left off. Zero-days are a formidable challenge to businesses, because what defines a zero-day is that it is exploited before it is disclosed. When the zero-day occurs in applications with a high market share – like Flash, it just means there are more entry points into any organization. The only thing to do about it is to either remove the affected product from everywhere in your infrastructure – which can effectively paralyze your business – especially when the affected application is bundled and widespread – or have complete visibility to your systems and complete data control. With visibility, good policies, procedures and intelligence about the vulnerabilities, you can section-off business critical data until a patch becomes available.
Google listens to community and improves Project Zero
At the start of the year, Google picked a fight with big rivals like Microsoft and Apple by rigidly enforcing an aggressive disclosure policy as part of Project Zero – a disclosure policy that took no prisoners. In short, Google refused to extend disclosure dates beyond 90 days, which was the response time the giant had decided was enough to fix any vulnerabilities.
In response to the security community voicing concerns about the inflexible deadlines, on February 13 Google decided to adjust the disclosure policy. Amongst other improvements, the policy now includes a grace period, allowing for planned and communicated patch releases within a two week period. Google will also refrain from disclosing an “unpatched issue” unless a deadline is significantly missed (more than two weeks).
At Secunia, we are pleased that Google has decided to loosen up a little. Adhering to reactions from the security community is the sensible thing to do. It is a win for the overall security of both companies and private users. Only hackers gained from Google indiscriminately disclosing vulnerabilities just a few days before the vendor disclosed it with an available patch.
Java – the app users just don’t patch!
Oracle rolled out yet a new set of security patches for Java in their January Critical Patch Updates, fixing 19 vulnerabilities in Java. We will take this opportunity to remind everyone to patch Java!!! This cannot be repeated often enough – businesses need to patch the corporate environment, and to remember that the employees’ ‘own devices’ connected to it need to be patched as well. Java is notoriously vulnerable on private devices. In every single Secunia Country Report issued, Oracle Java is very high on the “Most Exposed” list. That rank is thanks to the market share, which is around 65%, combined with the fact that private users simply don’t patch Java – the unpatched share is usually between 40 and 50%.
“Ghost” in your machines? Highly likely!
January 2015 has seen a new vulnerability in the “Catchy Nickname” trend that started in 2014 – once again in an open source library in wide use.
“Ghost” – CVE 2015 0235 – is the name of the vulnerability in GNU Library C (glibc). It was actually patched in May 2013 in version 2.18. The trouble is that versions of glibc that are older than 2.18 are all made vulnerable by Ghost. These older versions are bundled in applications from a number of different vendors – vulnerable applications which must therefore also be identified and patched. As we write, Secunia has written 24 advisories on products made vulnerable by Ghost, including McAfee, Cisco, IBM, Red Hat and Xerox.
The vulnerability is rated Moderately Critical by Secunia, and successful exploitation may allow execution of arbitrary code. Solution?
Check whether and where you are using any of the products affected, and apply the patch!
Source: Secunia Vulnerability Update for Q4 2014 (http://secunia.com/landing/