What’s Wrong with New Vulnerability Information?

, , , ,

When it comes to application vulnerabilities, information is everywhere. You can scan social media for the latest discoveries, keep up with what the research community is doing, or depend on vendors to keep you in the loop.

All this information lets you take charge and, once you hear about a new vulnerability, it can be tempting to rush into action. After all, the faster you can resolve the vulnerability, the lower the likelihood of it being exploited.

But slow down. Take stock. Because the most up-to-date information on vulnerabilities isn’t always as useful as it seems.

When now is too soon

The moment somebody uncovers an application vulnerability, they’re keen to share their findings widely. But in their eagerness to share, the slippery slope of misinformation begins.
The problem is that the initial reports of a vulnerability could:

  • Refer to pieces of code that are never called
  • Refer to bugs and errors that don’t create risk – they’re not vulnerabilities in the true sense
  • Depend on the existence of another vulnerability
  • Not apply to all versions, or all instances, or all combinations of software in their varied environments

But the security community doesn’t wait. It’s been taught that reaction speed is everything. So vulnerabilities are reported, then they’re repeated. One inaccuracy – one incorrect detail – is shared endlessly in varied articles and reports.

And you make your decisions based on this information.

The cost of inaccurate or incomplete information

Inaccurate reports fill your workload with false positives to chase. You begin spending your time on things that aren’t relevant to you, or don’t apply to your environment.

Mitigating your exposure could mean testing and patching. Taking nodes off line. Changing several applications in line with the one that’s supposedly vulnerable. It’s widespread disruption, and it comes at a huge cost.

And all the time you’re prioritising those potential risks, you’re ignoring the ones that really matter.

VENOM – critical risk or just another vulnerability?

In May 2015, CrowdStrike discovered VENOM (CVE-2015-3456) – a vulnerability in the virtual floppy drive code used in common virtualisation platforms.

This vulnerability affected a huge number of platforms and, as a result, became big news across the IT security sector. Based on news coverage, social media, and the overall reaction of the community, there was a sense that almost everything needed to be patched – fast.

However, more research made things seem less severe.

Secunia’s Threat Research Team conducted extensive analysis on the vulnerability. After investigation, it became clear that an attacker would need to be on a console or physically at a server to exploit the vulnerability.

The vulnerability was serious but, making things more nuanced, the actual risk posed was comparatively low. And that’s why detailed analysis is so important when you’re about to make expensive decisions.

Focusing your attention on legitimate, significant threats

Informational reports can raise the alarm. But it’s only further investigation that lets you make the right decisions about your response.

Secunia’s analysts don’t just repeat reports. They don’t rush into responding before careful consideration.

The team only releases advisories after vulnerabilities are verified. They assign every vulnerability a clear criticality rating, which can be used to prioritise your patching. And they present every advisory in the same clear and consistent format, that’s easy to understand and full of practical insight.

So that’s why with Secunia VIM you get all the information you need – not just to act fast, but to take the action that’s most appropriate.

Get Verified Vulnerability Intelligence with Secunia VIM