Defending a network against threats of growing complexity requires a mix of technology and policies that are as sophisticated as the campaigns created by attackers. A necessary component to an efffective defense includes tackling the low-hanging fruit—that is, basic tasks such as patching vulnerabilities and updating old software.
However, as we relate in the Cisco 2016 Annual Security Report too many organizations are relying on seriously outdated network components and operating systems—thus providing even more opportunity for adversaries to infiltrate or attack their network. Read More »
Tags: 2016 Annual Security Report, 2016 ASR, infrastructure, vulnerabilities
The first Patch Tuesday of 2016 has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release is relatively light with nine bulletins addressing 25 vulnerabilities. Six bulletins are rated critical and address vulnerabilities in Edge, Internet Explorer, JScript/VBScript, Office, Silverlight, and Windows. The remaining three bulletins are rated important and address vulnerabilities in Exchange and several parts of Windows.
Bulletins Rated Critical
Microsoft bulletins MS16-001 through MS16-0006 are rated as critical in this month’s release.
MS16-001 and MS16-002 are this month’s Internet Explorer and Edge security bulletin respectively. In total, four vulnerabilities were addressed and unlike in previous bulletins there are no vulnerabilities that IE and Edge have in common.
- MS16-001 is the IE bulletin for IE versions 7 through 11. Two vulnerabilities are addressed with those being CVE-2016-0002, a use-after-free flaw and CVE-2016-0005, a privilege escalation flaw. Note that CVE-2016-0002 is a VBScript engine vulnerability that is addressed in this bulletin for systems with IE 8 through 11 installed. Those who use IE7 and earlier or who do not have IE install will need to install MS16-003 to patch this vulnerability.
- MS16-002 is the Edge bulletin addressing two vulnerabilities as well. Both CVE-2016-0003 and CVE-2016-0024 are memory corruption vulnerabilities that could result remote code execution if exploited.
One special note regarding this month’s IE advisory: In August 2014, Microsoft announced the end-of-life for Internet Explorer versions older than IE 11 that would take effect today. As a result, this month’s bulletin will be the final one for affected versions. After today, “only the most recent version of Internet Explorer available for a supported operating system will receive technical support and security updates.” As such, there are exceptions to the end-of-life announcement with those being Windows Vista SP2 (IE9), Windows Server 2008 SP2 (IE9), and Windows Server 2012(IE 10). For more information on the IE end-of-life, please refer to Microsoft’s documentation here:
Read More >>
Tags: ASLR bypass, Microsoft, patch tuesday, remote code execution, Talos, vulnerabilities
In October, we announced details about Cisco PSIRT’s new and improved security vulnerability disclosure format. Our Chief Security and Trust Officer, John Stewart, also revealed that Cisco will launch an application programming interface (API) that empowers customers to customize Cisco vulnerability information and publications. Today, we have officially launched the Cisco PSIRT openVuln API and it is available for immediate use.
The Cisco PSIRT openVuln API is a RESTful API that allows customers to obtain Cisco security vulnerability information in different machine-consumable formats. It supports industrywide security standards such as the Common Vulnerability Reporting Framework (CVRF), Open Vulnerability and Assessment Language (OVAL), Common Vulnerability and Exposure (CVE) identifiers, and the Common Vulnerability Scoring System (CVSS).
This API allows technical staff and programmers to build tools that help them do their job more effectively. In this case, it enables them to easily keep up with security vulnerability information specific to their network. That frees up more time for them to manage their network and deploy new capabilities in their infrastructure.
Read More »
Tags: API, cvrf, openvuln, OVAL, psirt, security, security automation, vulnerabilities
Cisco is committed to protecting customers by sharing critical security-related information in different formats. Guided by customer feedback, Cisco’s Product Security Incident Response Team (PSIRT) is seeking ways to improve how we communicate information about Cisco product vulnerabilities to our Customers and Partners. As John Stewart mentioned on his blog post, the Cisco PSIRT has launched a new and improved security vulnerability disclosure format. The new Cisco Security Advisories can be accessed at http://www.cisco.com/go/psirt and at http://cisco.com/security
The intent is to make it easier for Customers and Partners to access information about all security vulnerabilities in Cisco products. Each vulnerability disclosed through our new security advisories are assigned a Common Vulnerability and Exposures (CVE) identifier to aid in identification. Additionally, Cisco will continue to assess all vulnerabilities using the Common Vulnerability Scoring System (CVSS). Check out the sites for CVE, CVSS, and this CVSS scoring calculator if these terms are relatively new to you or you simply need a refresher.
Read More »
Tags: Cisco PSIRT, cvrf, Open Vulnerability and Assessment Language (OVAL), OVAL, psirt, security advisories, security automation, vulnerabilities, vulnerability disclosure, vulnerability management
Today, we released the last Cisco IOS & XE Software Security Advisory Bundled Publication of 2015. As a reminder, Cisco discloses IOS vulnerabilities on a predictable schedule (the fourth Wednesday of March and September each calendar year). Last cycle, we began including Cisco Security Advisories addressing vulnerabilities in Cisco IOS XE Software in this publication. This change was a direct result of your feedback, and we hope the timeline and additional “bundling” continues to allow organizations to plan and ensure resources are available to analyze, test, and remediate vulnerabilities in their environments.
Today’s edition of the Cisco IOS & XE Software Security Advisory Bundled Publication includes three advisories that affect the following technologies:
- IPv6 First-Hop Security
- SSH Version 2 (SSHv2)
- Cisco IOS XE Software
You may recall that Cisco announced enhancements to the Cisco IOS Software Checker last year. As my colleague Kevin Saling shared, the tool can display first-fixed software release data based on the combination of Cisco IOS Software releases and Cisco Security Advisories selected. Users can now quickly identify the first release that addresses all vulnerabilities disclosed in the selected advisories. Read More »
Tags: Cisco IOS software, psirt, security, security advisories, vulnerabilities