Security News

The United States Department of Defense this week announced the launch of a new vulnerability disclosure program on HackerOne to identify vulnerabilities in Defense Industrial Base contractor networks. Running as a pilot, the Defense Industrial Base Vulnerability Disclosure Program covers participating DoD contractor partner's information systems and web properties, as well as other assets within scope, and is separate from the DoD vulnerability disclosure program that already runs on HackerOne.

Some QNAP network attached storage devices are vulnerable to attack because of two critical vulnerabilities, one that enables unauthenticated remote code execution and another that provides the ability to write to arbitrary files. On Thursday QNAP released TS-231 firmware version 4.3.6.1620, which addresses a command injection vulnerability and a vulnerability in Apache HTTP server.

GRIMM announced the launch of the company's new Private Vulnerability Disclosure program. This offering allows defenders to get ahead of the attack curve, instead of reacting to unknown threats, by providing previously unknown vulnerabilities.

A proposed executive order would set new rules on the disclosure of data breaches that also affect United States government agencies, according to a Reuters news report. The report said the executive order, which could be released as soon as the next week, would require software vendors to notify U.S. government customers of cyber-security breaches that also affect them.

A zero-day exploit said to have been developed by the NSA was cloned and used by Chinese government hackers on Windows systems years before the cyber-weapon was leaked online, it is claimed. Check Point put out a report on Monday digging into Chinese malware it calls Jian, and argues persuasively this particular software nasty was spawned sometime around 2014 from NSA exploit code that eventually leaked online in 2017.

2020 vulnerability disclosures are on track to exceed 2019 despite a sharp decrease of 19.2% observed earlier in the year, according to Risk Based Security. Despite the initial disruption from COVID-19, the trend of total number of vulnerabilities suggests that business operations and routines have normalized as the gap has closed to 0.98%. "2020 could be titled 'The Great Catch-up'. We saw an incredible drop of 19.2% in Q1, but with each subsequent quarter that massive gap steadily closed," commented Brian Martin, VP of Vulnerability Intelligence at Risk Based Security.

The number of vulnerability disclosures is back on track to reach or bypass 2019 as we head into 2021, according to Risk Based Security. Earlier in 2020 that gap was instead a sharp decline of 19.2%. "At the end of Q1 this year, we saw what appeared to be a sharp decline in vulnerability disclosures as compared to 2019, dropping by 19.2%. Statistically that is huge," commented Brian Martin, VP of Vulnerability Intelligence at Risk Based Security.

New research into what happens after a new software vulnerability is discovered provides an unprecedented window into the outcomes and effectiveness of responsible vulnerability disclosure and exploit development. The analysis of 473 publicly exploited vulnerabilities challenges long-held assumptions of the security space - namely, disclosure of exploits before a patch is available does not create a sense of urgency among companies to fix the problem.

Several information disclosure and cross-site scripting vulnerabilities, including one rated critical, have been patched this week in the Drupal content management system. The most serious of the flaws is CVE-2020-13668, a critical XSS issue affecting Drupal 8 and 9.

The U.K.'s National Cyber Security Center has released a guide to help organizations get started with implementing a vulnerability disclosure process. A well-defined vulnerability disclosure program, NCSC argues, prevents reputational damage that public disclosure may cause, and allows companies not only to establish a way to take action on the identified vulnerabilities, but also to inform the reporting entity that the issue is being managed.