Download   Report
  1. technology and computing
  2. operating systems
  3. windows

IBM 1,691 - SC Magazine

VULNERABILITY UPDATE
February 2015 - April 2015
In this issue
1
4 Adobe Flash and 3 Windows
zero-days so far
2
Cisco IOS – make sure your
routers and switches are safe, too!
3
A moving target – repeat business
laced with shiny new apps
Total number of new vulnerabilities
in the Top 20* over the 3 month
period
1,691
Vendor with most vulnerable
products in the 3 month period
IBM
secunia.com
Products with the most
vulnerabilities
Apple Macintosh OS X
Avant Browser
1
4 Adobe Flash and 3 Windows zero-days so far
We have seen seven publically disclosed zero-day vulnerabilities in the first four months of 2015 – all of them in Adobe
Flash Player and Microsoft Windows, two of the most widespread programs globally, on private PCs and corporate
infrastructures alike. The number supports Secunia’s prediction that we would see a continuation of the 2014 trend, where
the number of zero-days increased quite dramatically. And it is an alarming trend. Here’s why:
A zero-day vulnerability, by Secunia’s definition, is a vulnerability that is actively exploited by hackers before it is publicly
known. It can be either patched or unpatched on the day it is disclosed to the public - the requirement is that it needs to
have been exploited in the wild before disclosure.
The cloak-and-dagger nature of zero-days make them a perfect entry point in for example the Advanced Persistent Threat
attacks: On a regular basis, zero-days are highlighted in the media and by the security industry as a popular attack methodof-choice for government agencies and private, criminal organizations, engaged in espionage and other malicious activities.
The increase in zero-days is an indication that these types of attacks are becoming an increasingly commonplace type of
criminal activity – and an indication that digital crime is becoming increasingly sophisticated, targeted and professional.
As a side note: Although the continued high number of zero-days is a concern, it would also be a concern if we saw a
dramatic drop in zero-days from end of 2014 to start of 2015. This could be a sign that the industry is failing to discover a
lot of zero-days out there.
And it goes without saying: the only thing worse than a zero-day you know, is a zero-day you haven’t met yet!
These are the Secunia Advisories pertaining to the seven zero-days discovered in January, February, March and April 2015:
SA62076, SA62432, SA62452, SA62528, SA64026, SA64059 and SA64146.
2
Cisco IOS – make sure your routers and switches are safe, too!
Cisco’s operating system, Cisco IOS, was on the top 20 list for March with 23 vulnerabilities. While the number in itself is
nothing spectacular, the fact that an operating system used on the many of the routers that operate the internet, and also
on Cisco network switches found in many company networks globally, is interesting enough. It emphasizes the importance
of never forgetting that vulnerabilities occur in all kinds of -ware.
If you are an IT security professional, you know that simply monitoring and patching the high-visibility applications used in
office environments is only the tip of the iceberg. Even so, it is good to be reminded every now and again that it is critical
to keep track of all the software, firmware, middleware and hardware in your infrastructure.
Knowing your environment means you are able to exercise damage control when vulnerabilities appear, which is critical,
particularly when it comes to the less-sexy behind the scenes products that do not make the headlines: Vendors behind
products that are high-profile among consumers are, generally speaking, quicker to issue patches when vulnerabilities are
discovered in their products: Update-availability-speed is a requirement for consumer-facing applications, and it’s bad press
to be accused of jeopardizing consumer security. Consumer-facing products from vendors like Adobe and Microsoft , for
example, have standard one month patch cycles, with the resources to throw an additional patch in, for high-priority issues.
For B2B products with low public awareness, response-times are frequently slower for a number of reasons, including
a higher degree of complexity in patch deployment requirements and - for some - a lower prioritization of security
resources in-house.
In the case of Cisco, the company has a scheduled six month patch cycle for vulnerabilities that qualify for the Cisco
Security Advisory, and a more ad-hoc approach on the vulnerabilities that qualify for Cisco Security Notices. Cisco does in
some cases release out of band security Advisories.
3
The moving target – repeat business laced with shiny new apps
Every three months, Secunia issues what we call our “Country Reports” – a set of data detailing the applications that
leave private PCs in specific countries the most exposed to hacking, calculated based on whether or not users patch the
vulnerable applications on their PCs. Looking at those reports, you will find the same applications and vendors figuring on
the Most Exposed list quarter after quarter – it’s Oracle, Adobe, Microsoft and Apple plus a few more.
Looking at the Top 20 lists in this report provides a more nuanced picture and is significant from a corporate IT
perspective: While there is certainly “repeat business” every month, these lists present a wide variety of products, used in
all manner of business contexts, reminding us that vulnerability management is a fickle discipline: what you patched to stay
secure last month, will do your security very little good, next month!
secunia.com
TOP 20
FEBRUARY 2014
MARCH 2014
ID
VULNS
PRODUCT
ID
VULNS
PRODUCT
1352
84
Avant Browser
24179
51
Google Chrome
56290
35
IBM Tivoli Netcool Configuration Manager
35791
32
IBM Notes (formerly IBM Lotus Notes)
36174
32
Microsoft Windows Server 2012
31967
31
Avaya Aura System Manager
33724
31
Microsoft Windows 8
37195
31
IBM Domino (formerly IBM Lotus Domino)
38138
30
Microsoft Windows RT
31152
28
Blue Coat PolicyCenter
35467
28
Blue Coat Packetshaper
12666
24
Mozilla Firefox
4761
23
Cisco IOS
1674
22
Adobe Flash Player
1907
22
Adobe AIR
16424
22
phpBugTracker
33878
22
IBM Business Process Manager
55208
22
IBM Security Access Manager for Web
11085
21
Microsoft Windows Server 2008
56112
58
IBM Power Systems
8735
57
IBM WebSphere Application Server
10130
41
IBM Hardware Management Console (HMC)
8707
25
IBM Lotus Notes Client
33724
25
Microsoft Windows 8
35791
25
IBM Notes (formerly IBM Lotus Notes)
36174
25
Microsoft Windows Server 2012
37195
25
IBM Domino (formerly IBM Lotus Domino)
38138
25
Microsoft Windows RT
37145
22
IBM Security Network Protection
24592
21
IBM Tivoli Monitoring
12666
20
Mozilla Firefox
26234
18
OSSIM (AlienVault Open Source SIM)
55842
18
AlienVault Unified Security Management
(USM)
1674
16
Adobe Flash Player
8702
16
IBM InfoSphere Information Server
12789
16
MySQL
17307
15
uCosminexus Operator
11084
20
Microsoft Windows Server 2003
38512
15
uCosminexus Developer
38592
20
Microsoft Windows 7
APRIL 2015
ID
VULNS
PRODUCT
2372
84
Apple Macintosh OS X
24179
54
Google Chrome
24551
39
IBM Cognos Business Intelligence
10130
31
IBM Hardware Management Console (HMC)
58501
30
Oracle Solaris 10
34908
25
IBM Security Network Intrusion Prevention
System
56178
25
IBM Systems Director Storage Control
666
24
Apple TV
33724
24
Microsoft Windows 8
36174
24
Microsoft Windows Server 2012
4140
22
BIG-IP Application Security Manager
18462
22
SQLite
31086
22
F5 TMOS
33276
22
BIG-IP Global Traffic Manager
36264
22
BIG-IP Local Traffic Manager
36351
22
F5 BIG-IP Access Policy Manager
38138
22
Microsoft Windows RT
56774
21
F5 BIG-IP Advanced Firewall Manager
56775
21
F5 BIG-IP Analytics (AVR)
56777
21
F5 BIG-IP Policy Enforcement Manager
*: Definition of the Top 20: The Top 20 are the 20 products with the most vulnerabilities in the specified month, out of the more than 50,000 products verified by Secunia
Research, and recorded in the Secunia Vulnerability Database. The Secunia ID identifies the product. Secunia Advisories cover vulnerabilities announced for all types of
programs and operating systems.
Disclaimer: The data in this report is a snapshot. Because Secunia Advisories are updated continuously, as new information becomes available, data in snapshots taken on
different dates may vary.
secunia.com
Pre - conference workshop: " Social HR - helping HR

Pre - conference workshop: " Social HR - helping HR

Lowest Prices Guaranteed

Lowest Prices Guaranteed

} ERP TRANSFORMATION FOR EFFICIENCY, EFFECTIVENESS AND GROWTH CHANGING MARKET DYNAMICS TRANSFORMATION APPROACH

} ERP TRANSFORMATION FOR EFFICIENCY, EFFECTIVENESS AND GROWTH CHANGING MARKET DYNAMICS TRANSFORMATION APPROACH

(IT) Department Summer Intern

(IT) Department Summer Intern

Agenda - GUIDE SHARE Europe

Agenda - GUIDE SHARE Europe

Tayyib Oladoja PERSONAL STATEMENT

Tayyib Oladoja PERSONAL STATEMENT

OFFICE MANAGER Job Description

OFFICE MANAGER Job Description

IBM SurePOS 100 Express features

IBM SurePOS 100 Express features

GPFS.UG.11 - GPFS User Group

GPFS.UG.11 - GPFS User Group

Business Partner Sessions & Reception 27 October 2014

Business Partner Sessions & Reception 27 October 2014

abcdocz.com

© Copyright 2024