The issue used to be understanding that applications could be vulnerable. Today, you know that attackers can exploit your software to gain wider system access.
That’s largely in part to headline incidents where major vulnerabilities were discovered in common applications. From VENOM to Code Red to Heartbleed, more and more vulnerabilities are picked up by specialist media. Some of the biggest even manage to hit mainstream press.
But while knowing that vulnerabilities pose a huge danger is a good start, it’s actually not that useful. It just leads to a bigger question – what on earth do I do now?
When vulnerabilities hit the big time
Forget celebrities and footballers – the mainstream press is increasingly concerned with our network security. After all, we’re in a world where everything is connected. From phones to thermostats to fridges, the Internet of Things means everything can be networked.
And in a digital age, digital crime is just as important as any other form.
Take ShellShock. In 2014, open source software developer Stephane Chazelas discovered a bug in the Unix Bash shell that could be exploited to run arbitrary code. As a result, people could execute malicious commands on any device where Bash is used – everything from Linux web servers to Apple laptops and smartphones.
Having gone unnoticed in Bash since 1993, this was big news. So when Chazeles disclosed the bug he had uncovered, it was detailed everywhere from specialist IT security websites to The Huffington Post and The Guardian.
With even a cursory eye on the latest news, you couldn’t help but know about ShellShock. So it was easy to get to work, investigating where Bash was present across your network and applying the relevant patches.
But, widely reported, ShellShock was the exception to the rule.
You’re probably familiar with ShellShock. You can’t have missed Heartbleed. But without celebrity status, CVE-2015-0332 hasn’t hit the headlines.
SA62621 Adobe Flash Player /AIR Multiple Vulnerabilities
Despite a less catchy name, this vulnerability is serious. It affects Adobe Flash Player and Adobe Air – popular, commonplace applications that most of us are running.
According to Secunia’s detailed vulnerability advisory, the vulnerability relates to a series of exploits that could be used to corrupt memory, and then used to run arbitrary code.
Like ShellShock before it, CVE-2015-0332 represents a huge risk. Thankfully, it’s easily fixed with an update to the latest Adobe Flash Player and Adobe Air versions.
But CVE-2015-0332 hasn’t been reported. The Guardian hasn’t given it a glance. The Huffington Post hasn’t posted.
So how can you expect to know about the latest vulnerabilities as soon as they happen, let alone resolve them quickly?
How do you check for critical vulnerabilities?
The security community has a collaborative approach to disclosing and logging all vulnerabilities as they’re discovered. Meanwhile, most reputable software vendors aim to keep customers informed.
So, to keep up with the latest vulnerabilities, you could:
- Use an open source vulnerability database like OSVDB – manually checking every application you use for vulnerabilities. But how often? Every hour? Every day? Every week?
- Sign up for updates from every third-party software vendor you use – and trust that they’ll keep you updated about vulnerabilities as soon as they happen
- The problem is that this doesn’t leave a lot of time for everything else you need to do. Staying on top of application vulnerabilities requires a significant investment of time.
And even if you can spare the time, this approach depends on a 100% accurate view of all the third-party software that’s installed across your entire network.
The advantage of specialist vulnerability intelligence
It’s your job to eliminate application vulnerabilities through diligent patching. But it’s also your job to do lots of other things.
Secunia’s threat research team is dedicated to assessing reported vulnerabilities, verifying the nature of the exploit, assigning a clear criticality rating, and publishing all this information to the IT community. They keep on top of the latest threats so you don’t have to.
And with Secunia CSI, you get the advantage of Secunia’s expert vulnerability intelligence along with an accurate software inventory and packaging and deployment through Microsoft System Center Configuration Manager (SCCM) and Windows Server Update Services (WSUS) integration.
So you always know which third-party applications you’re running. And you always know about the latest vulnerabilities – even if you don’t recognise their names.
emt Distribution is the regional distributor for Secunia. Secunia is recognized industry-wide as a significant global player, within the IT security ecosystem, in the niche of Software Vulnerability Management. Our award-winning portfolio equips corporate and private customers worldwide with Vulnerability Intelligence, Vulnerability Assessment, and automated Security Patch Management tools to manage and control software vulnerabilities across networks and endpoints.