Lucene search
K
QualysblogRecent

1089 matches found

Qualys Blog
Qualys Blog
added 2018/05/14 6:47 p.m.87 views

What we’ve got here is failure to communicate: OS vendors misread CPU docs, create flaw

In a memorable scene from “Jumpin’ Jack Flash,” Whoopi Goldberg struggles to understand the lyrics of the eponymous song from the Rolling Stones, as she pleads: “Mick, Mick, Mick, speak English!” It appears that multiple operating system vendors had similar trouble interpreting Intel and AMD...

7.2CVSS7.6AI score0.18404EPSS
Exploits9
Qualys Blog
Qualys Blog
added 2018/05/08 6:20 p.m.178 views

May 2018 Patch Tuesday – Medium Weight, However One Active Exploit Needs Attention

This May's Patch Tuesday has quite a few Microsoft fixes for both the OS and browsers. In all, 67 unique CVEs are addressed in 17 KB articles, with 21 CVEs marked Critical. 32 of these CVEs reference Remote Code Execution, 19 of which are Critical. Those who use Hyper-V have some updates to pay...

10CVSS0.5AI score0.87814EPSS
Exploits9
Qualys Blog
Qualys Blog
added 2018/05/08 1:8 a.m.160 views

Timely Password-Change Call from Twitter, as Bugs Hit WebEx and GPON routers

The cyber security news cycle is always active, so to help you stay in the loop here’s a selection of incidents that caught our attention over the past week or so involving, among others, Twitter, Cisco and GPON routers. Twitter picks a good day for password-change call As “change your password”...

7.5CVSS10AI score0.9995EPSS
Exploits10
Qualys Blog
Qualys Blog
added 2018/05/07 4:0 p.m.1356 views

How To Prioritize Vulnerabilities in a Modern IT Environment

Here’s a stat that shows the importance of prioritizing vulnerability remediation: Almost 30% of the CVEs disclosed in 2017 had a CVSS score of “High” or “Critical.” That works out to about 3,000 such vulnerabilities, or about 58 every week. Given this large number of severe vulnerabilities, it’s...

10CVSS0.2AI score0.99999EPSS
Exploits44
Qualys Blog
Qualys Blog
added 2018/04/27 4:0 p.m.86 views

Gaining Control over Your Digital Certificates

Digital certificate management is in an inadequate state at most organizations, a serious problem, considering that SSL/TLS certificates are critical for a host of e-business functions. “If you’re doing something on the Internet, you’re using SSL,” Asif Karel, a Qualys Director of Product...

0.2AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/04/25 4:0 p.m.38 views

When Preparing for GDPR, Don’t Neglect Public Cloud Security

With organizations aggressively moving workloads to public cloud platforms, such as Amazon’s AWS, Google Cloud, and Microsoft’s Azure, protecting these environments is critical for compliance with the EU's General Data Protection Regulation GDPR. These public cloud platforms are being used to pow...

6.7AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/04/24 9:14 p.m.57 views

Orangeworm Targeting Healthcare Industry since 2015 Now Exposed

Operating since 2015, a threat group dubbed Orangeworm has been newly attributed to hacking and infiltrating healthcare groups around the world. Companies specifically targeted include hospitals, healthcare providers, pharmaceuticals, IT services firms serving the healthcare industry, and more...

0.4AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/04/23 9:44 p.m.58 views

Qualys WAS Introduces Swagger Support for REST API Security Testing

In the world of application security, testing REST APIs for security flaws is important because APIs can have many of the same application-layer vulnerabilities as browser-based web applications. Examples are SQL injection, command injection, and remote code execution. With the recent release of...

8.7AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/04/19 11:0 p.m.294 views

The Sky Is Falling! Responding Rationally to Headline Vulnerabilities

It’s happening more and more. Gill Langston, a Qualys Director of Product Management, speaks at RSA Conference 2018 High profile vulnerabilities like Meltdown and Spectre are disclosed, and become headline-grabbing news not just in the technology press, but on general news outlets worldwide. Even...

10CVSS10AI score0.99999EPSS
Exploits44
Qualys Blog
Qualys Blog
added 2018/04/18 6:0 p.m.67 views

Dr. Michio Kaku Paints Fascinating Picture of the Future at Qualys’ RSA Booth

Contact lenses that access the Internet literally at the blink of an eye. Toilets that detect cancer-indicating enzymes. Human settlements on Mars. Beaming one’s mind into outer space using lasers. Watching a video of your dreams after you wake up. Those were just a few of the mind-blowing...

6.8AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/04/16 10:59 p.m.65 views

Qualys: Cloud Security Must Move Towards ‘Transparent Orchestration’

What does the “My Little Pony” television series and cyber security have in common? Ask Qualys Chief Product Officer Sumedh Thakar. Whenever his 7-year old daughter wanted to see an episode of this show, the process involved multiple steps: Turning on the smart TV, scrolling through the app menu,...

6.7AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/04/13 4:0 p.m.61 views

Indication of Compromise: Another Key Practice for GDPR Compliance

In this ongoing blog series on preparing for complying with the EU’s General Data Protection Regulation GDPR, we’ve explained the importance of having solid, foundational security practices like asset management and threat prioritization. Today, we’ll discuss how another such practice can help...

7.2AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/04/10 6:22 p.m.46 views

April Patch Tuesday – 63 Microsoft vulnerabilities, 19 for Adobe

Today's Patch Tuesday is smaller than last month, but there are more critical updates this time. Out of the 63 vulnerabilities covered by the Microsoft patches, 22 of them are critical. Adobe has released 6 bulletins covering 19 vulnerabilities. According to Microsoft and Adobe, there are no acti...

7.9AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/04/09 8:34 p.m.57 views

Vendor Risk Bites Sears, Delta and Best Buy, while Saks, Lord & Taylor Deal With Breach

Data breaches dominated the cyber security headlines last week, as Sears, Delta, Best Buy, Saks, and Lord & Taylor all found themselves in the news. Sears, Delta and Best Buy: Another vendor risk incident What do retail giant Sears Holdings, consumer electronics chain Best Buy and Delta Air Lines...

7.2AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/04/06 6:7 p.m.62 views

Call For Customer Presentations at Black Hat USA 2018!

Tell your security story to your peers at Black Hat USA 2018! Qualys is looking for customers excited to share their security and DevSecOps successes, best practices for building security into modern enterprises and case studies leveraging the use of the Qualys Cloud Platform. Take the stage in t...

0.9AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/04/04 4:0 p.m.65 views

Put FIM in Your GDPR Toolbox

File integrity monitoring, like other foundational security practices such as vulnerability management, helps organizations comply with the EU’s General Data Protection Regulation GDPR. FIM specifically provides security controls in three key areas for GDPR: Ensuring integrity of data stored in...

6.8AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/04/02 6:2 p.m.236 views

Microsoft Misfires with Meltdown Patch, while WannaCry Pops Up at Boeing

In our weekly roundup of InfoSec happenings, we start, as has often been the case this year, with concerning Meltdown / Spectre news -- this time involving Microsoft -- and also touch on a password hack at Under Armour, a WannaCry infection at Boeing, and a severe Drupal vulnerability. Microsoft...

7.5CVSS9.7AI score0.99993EPSS
Exploits48
Qualys Blog
Qualys Blog
added 2018/03/30 7:5 p.m.117 views

A “Patch for the Meltdown Patch” released out of band Thursday night

The Meltdown/Spectre saga continues… Late Thursday, Microsoft released a patch for Windows 7 and Server 2008 R2 operating systems to resolve CVE-2018-1038. Apparently, this vulnerability was actually introduced by the patches released in January to mitigate the effects of Meltdown. Microsoft did...

7.2CVSS7.3AI score0.08915EPSS
Exploits2
Qualys Blog
Qualys Blog
added 2018/03/30 4:0 p.m.43 views

Continuous Web Security Assessment for Production and DevOps Environments

Web applications have become essential for business, as they simplify and automate key functions and processes for employees, customers and partners, making organizations more agile, innovative and efficient. Unfortunately, many web applications are also unsafe due to latent vulnerabilities and...

7.5AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/03/29 4:0 p.m.47 views

Securing your Cloud and Container DevOps Pipeline

Organizations are aggressively moving workloads to public cloud platforms, such as Amazon’s AWS, Google Cloud, and Microsoft’s Azure, upping the ante for InfoSec teams, which must protect these new environments. Driving this growth in cloud computing adoption is its essential role in digital...

7.2AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/03/28 9:29 p.m.332 views

QID 86725 “F5 BIG-IP Load Balancer Internal IP Address Disclosure”

QID 86725 “F5 BIG-IP Load Balancer Internal IP Address Disclosure Vulnerability” will be marked as a PCI Fail as of May 1, 2018 in accordance with its CVSS score. F5 BIG IP encodes private IP addresses in the persistent cookies, which could be collected by the attacker and decoded back. The...

6.9AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/03/26 4:0 p.m.63 views

Feds Take On Foreign Hackers, While 880K Orbitz Customers “Likely” Affected by Data Breach

In this edition of Qualys’ infosec news digest, we look at Orbitz’s data breach, AMD’s vulnerabilities controversy, and recent actions by the U.S. government against alleged Russian and Iranian cyber spies. Orbitz was kinda, sorta, maybe hacked Orbitz disclosed last week that personal information...

6.9AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/03/22 10:27 p.m.74 views

Qualys Cloud Platform (VM, PC) 8.13 New Features

This new release of the Qualys Cloud Platform VM, PC, version 8.13, includes several new feature improvements across the apps such as the ability to test authentication records, as well as improvements to UDC’s and report options in Qualys Policy Compliance. Feature Highlights Qualys Cloud Platfo...

7.2AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/03/19 4:0 p.m.60 views

Webcast Q&A: The GDPR Deadline Readiness and Impact to Global Organizations Outside the EU

With the EU’s General Data Protection Regulation GDPR going into effect in late May, organizations are hungry for clarifying information regarding its vaguely-worded requirements, in particular as they apply to cyber security and IT compliance. This interest in better understanding how to comply...

6.5AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/03/14 4:54 p.m.36 views

Qualys Policy Compliance Notification: Policy Library Update

Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from vendo...

6.8AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/03/13 6:39 p.m.113 views

March Patch Tuesday – 75 Microsoft vulnerabilities, 7 for Adobe

Today's Patch Tuesday covers a lot of vulnerabilities, but in terms of critical updates, it is still light. Out of the 75 vulnerabilities covered, only 15 are marked as critical. Adobe has released patches as well, covering 7 vulnerabilities. All of the critical vulnerabilities from Microsoft are...

7.6CVSS2.1AI score0.82334EPSS
Exploits4
Qualys Blog
Qualys Blog
added 2018/03/13 3:0 p.m.34 views

PCI DSS v3.2 & Exposing Session ID in URL

Passing the session ID in the URL such as QID 150068 “Session ID in URL” will be marked as a Fail for PCI as of April 15, 2018 in accordance with PCI DSS v3.2. QID 150068 is a PCI Fail according to PCI DSS v3.2 Requirement 6.5.10: 6.5.10 Examine software development policies and procedures and...

7.3AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/03/09 9:45 p.m.467 views

Cryptomining is all the rage among hackers, as DDoS amplification attacks continue

In this week’s InfoSec news review we’ll dive into cryptomining, get the latest on DDoS amplification, go over recent data breaches, and check out another vendor claiming it can crack iPhones. I, me, mine The freight train that’s cryptomining shows no sign of slowing down, and the cyber security...

10CVSS10AI score0.99999EPSS
Exploits44
Qualys Blog
Qualys Blog
added 2018/03/07 5:0 p.m.65 views

GDPR: The Stakes Are High and Time Is of the Essence

With the General Data Protection Regulation GDPR going into effect in under three months, the countdown clock is fast approaching zero for organizations worldwide that handle personal data of EU residents. GDPR is a very broad and wide-ranging regulation that requires organizations to obtain a lo...

6.6AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/03/05 7:21 p.m.81 views

TLS 1.0 Deprecation for Qualys Cloud Platform

Qualys will require all connections to our Cloud Platform to use TLS 1.1 or higher beginning April 2nd 2018, in order to align with industry best practices for security and data integrity. Please ensure that you are using TLSv1.1+, or your connectivity to the Cloud Platform will be impacted. This...

6.7AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/03/02 2:48 p.m.142 views

Apple in the InfoSec Spotlight, as GitHub Falls Prey to Amplified DDoS Attack

Apple has been all over InfoSec news in the past week or so, along with Spectre / Meltdown developments, a tax season scam alert from the feds, and an apparent solution to the Winter Olympics' hack whodunit. In addition, researchers warned about a new trend of using Memcached servers to...

4.7CVSS7.5AI score0.93838EPSS
Exploits12
Qualys Blog
Qualys Blog
added 2018/02/27 5:0 p.m.54 views

Recline on the Qualys Couch: Examining Patching Behavior

In a perfect world, organizations would patch vulnerabilities immediately after they’re disclosed, preemptively blocking exploits and dodging most cyber attacks. Of course, reality is far from that hypothetically ideal state. Organizations often leave critical vulnerabilities unpatched for months...

7.2AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/02/20 6:36 p.m.56 views

Qualys Cloud Platform 2.32 New Features

This release of the Qualys Cloud Platform version 2.32 includes updates and new features for AssetView, EC2 Connector, File Integrity Monitoring, Indication of Compromise, Security Assessment Questionnaire, Web Application Scanning, and Web Application Firewall, highlights as follows. Post update...

7AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/02/16 5:6 p.m.159 views

Hackers Hit the Olympics, While Patch Tuesday and Meltdown / Spectre Keep IT Departments On Edge

This week offered a representative sampling of different corners of the cyber security world: The monthly Patch Tuesday, a brazen attack against the Olympics, new Meltdown and Spectre concerns, and a boost for Intel’s bug bounty program. Oh, and the gargantuan Equifax data breach may have been ev...

9.3CVSS7.3AI score0.93838EPSS
Exploits12
Qualys Blog
Qualys Blog
added 2018/02/13 7:38 p.m.51 views

February Patch Tuesday – 55 Microsoft vulnerabilities patched, 45 for Adobe

For this month's Patch Tuesday, Microsoft has released patches covering 55 vulnerabilities, with 15 ranked as critical. This includes out-of-band Office patches from mid-January as well as patches for Adobe Flash that were released last week. From this list, there are patches for a vulnerability...

7.6CVSS7.9AI score0.16778EPSS
Exploits0
Qualys Blog
Qualys Blog
added 2018/02/12 5:0 p.m.15 views

Securing IT Assets By Prioritizing Protection And Remediation

As hackers get faster at weaponizing exploits for disclosed bugs, InfoSec teams need — more than ever — automated, continuous and precise IT asset inventorying, vulnerability management, threat prioritization and patch deployment. Critical vulnerabilities that linger unpatched for weeks or months...

7.4AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/02/09 3:20 p.m.90 views

Intel Makes Spectre Patch Progress, while Adobe Grapples with Latest Flash Bug

It’s been a busy week in InfoSec land, as Intel released a new Spectre patch, iOS source code was leaked online, and a zero-day Flash bug got exploited in the wild. Also making noise these past few days: A major security hole in the Grammarly web app, WordPress updates tripping over each other, a...

7.5CVSS7.3AI score0.93838EPSS
Exploits31
Qualys Blog
Qualys Blog
added 2018/02/06 5:12 p.m.16 views

If You Think File Integrity Monitoring is Boring, Think Again

You’ll be hard pressed to find file integrity monitoring on any list of cool, emerging, cutting-edge cybersecurity technologies. But if you choose to ignore this mature, foundational technology, it’ll be at great risk. File integrity monitoring, or FIM, plays a key role in critical security and...

6.8AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/02/05 5:0 p.m.15 views

Countdown to GDPR: For GDPR Compliance, Web App Security Is a Must

With web and mobile apps becoming a preferred vector for data breaches, organizations must include application security in their plans for complying with the EU's General Data Protection Regulation GDPR. First discussed in the 1990s and turned into law in 2016, GDPR goes into effect in May of thi...

8.3AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/02/03 2:0 a.m.88 views

SSL Labs Grading Update: Forward Secrecy, Authenticated Encryption and ROBOT

Update March 1, 2018: The completion of these changes is documented under Version 1.31.0 in the SSL Labs Changelog. We are giving advance notification for following grading criteria changes applying from March 1, 2018: Not using forward secrecy, not using AEAD suites, and vulnerability to ROBOT...

6.8AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/02/02 2:58 p.m.77 views

Meltdown / Spectre: New Concerns Over Intel Patches, as Hackers Test Exploits

This week brought new developments in the Meltdown / Spectre saga, including more concerns about Intel’s buggy patches, and mounting evidence that hackers are trying to create exploits for the vulnerabilities. It seemed that after weeks of complaints and confusion, Intel’s issue had hit bottom an...

4.7CVSS6.9AI score0.93838EPSS
Exploits12
Qualys Blog
Qualys Blog
added 2018/01/31 5:0 p.m.52 views

Continuous Security and Compliance Monitoring for Global IT Assets

In today’s information security world, all assets everywhere must be detected, visible, protected and compliant -- all the time. It’s no longer enough to rely on “point in time” security and compliance assessments, such as scheduled weekly or monthly scans on handpicked critical servers. “You mus...

6.8AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/01/26 3:16 p.m.107 views

Meltdown/Spectre: Intel Nixes Patches, Tech CEOs Questioned on Information Blackout

IT departments and tech vendors continued grappling with Spectre and Meltdown this week, as Intel pulled its glitchy patches and the U.S. Congress questioned the vulnerability disclosures' timing and scope. Spectre and Meltdown aren't typical vulnerabilities for a number of reasons, and as a...

4.7CVSS6.7AI score0.93838EPSS
Exploits12
Qualys Blog
Qualys Blog
added 2018/01/25 2:19 a.m.49 views

Qualys Cloud Suite 8.12 New Features

This new release of the Qualys Cloud Suite, version 8.12 adds new reporting options for the PC Report, allowing you to include new summaries in the remediation section of the report for control failures. Feature Highlights Qualys Policy Compliance PC/SCAP PC Report: Failure Summary Section – You...

6.9AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/01/18 10:22 p.m.102 views

Meltdown and Spectre Aren’t Business as Usual

The new year brought a new vulnerability type — the CPU-based Meltdown and Spectre bugs — that’s forcing vendors and IT departments to modify long-standing ways of identifying threats, prioritizing remediation, managing patches and evaluating risk. “Meltdown and Spectre are different...

4.7CVSS0.3AI score0.93838EPSS
Exploits12
Qualys Blog
Qualys Blog
added 2018/01/16 11:8 p.m.54 views

Meltdown / Spectre Mitigation Is a Work in Progress

Since researchers disclosed the Meltdown and Spectre vulnerabilities on Jan. 3, vendors and IT departments have been consumed trying to figure out how to properly address the potentially devastating effects of these kernel-level bugs. By now, one thing we know for sure is that dealing with the...

7AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/01/16 8:34 p.m.22 views

Continuous Security & Compliance Demo Series

This series shows you how to effectively navigate security risks, new regulations and new technologies in support of a secure and compliant digital transformation. Qualys product managers walk you through the new features of Qualys Cloud Platform and Apps and show you how to get maximum leverage...

6.9AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/01/15 9:31 p.m.23 views

Qualys Policy Compliance Notification: Policy Library Update

Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from vendo...

6.6AI score
Exploits0
Qualys Blog
Qualys Blog
added 2018/01/09 7:56 p.m.76 views

January Patch Tuesday – Meltdown/Spectre, 16 Critical Microsoft Patches, 1 Adobe Patch

Due to the disclosure of Meltdown and Spectre, Microsoft released several patches last week with the ranking "Important." While there are no active attacks against these vulnerabilities, a special focus should be placed on any of the browser patches, due to potential attacks using JavaScript. It ...

9.3CVSS7.6AI score0.93838EPSS
Exploits12
Qualys Blog
Qualys Blog
added 2018/01/09 2:36 a.m.199 views

Meltdown/Spectre and Qualys Cloud Platform

In light of the recently released information about two security vulnerabilities, Qualys has considered the impact on the Qualys Cloud Platform and associated services. Qualys released a detailed advisory for customers of the Qualys Cloud Platform to help customers identify these vulnerabilities...

4.7CVSS6.9AI score0.93838EPSS
Exploits12
Total number of security vulnerabilities1089