Vulnerabilities / Threats // Vulnerability Management
News & Commentary
Poll: Patching Is Primary Response to Shellshock
Marilyn Cohodas, Community Editor, Dark ReadingCommentary
As potential threats mount, Dark Reading community members hone in on patching infrastructure but not devices, according to our latest poll.
By Marilyn Cohodas Community Editor, Dark Reading, 10/24/2014
Comment0 comments  |  Read  |  Post a Comment
3 Enterprise Security Tenets To Take Personally
David Fowler, VP Marketing, INetUCommentary
Individuals need to become conscious advocates for their own security -- after all, no one cares about your data like you do.
By David Fowler VP Marketing, INetU, 10/24/2014
Comment3 comments  |  Read  |  Post a Comment
Insecure Protocol Puts 1.2M SOHO Devices At Risk
Ericka Chickowski, Contributing Writer, Dark ReadingNews
Enterprises should take care to prohibit NAT-PMP traffic on untrusted network interfaces.
By Ericka Chickowski Contributing Writer, Dark Reading, 10/22/2014
Comment1 Comment  |  Read  |  Post a Comment
Cyber Threats: Information vs. Intelligence
Matt Hartley, VP Product Management, iSIGHT PartnersCommentary
Cyber threat intelligence or CTI is touted to be the next big thing in InfoSec. But does it narrow the security problem or compound it?
By Matt Hartley VP Product Management, iSIGHT Partners, 10/22/2014
Comment2 comments  |  Read  |  Post a Comment
'POODLE' Attacks, Kills Off SSL 3.0
Kelly Jackson Higgins, Executive Editor at Dark ReadingNews
A newly discovered design flaw in an older version of SSL encryption protocol could be used for man-in-the-middle attacks -- leading some browser vendors to remove SSL 3.0 for good.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 10/15/2014
Comment9 comments  |  Read  |  Post a Comment
Third-Party Code: Fertile Ground For Malware
Peter Zavlaris, Analyst, RiskIQCommentary
How big-brand corporate websites are becoming a popular method for mass distribution of exploit kits on vulnerable computers.
By Peter Zavlaris Analyst, RiskIQ, 10/15/2014
Comment7 comments  |  Read  |  Post a Comment
Shellshock Mayhem Marks The Start Of Malware Mess
Ericka Chickowski, Contributing Writer, Dark ReadingNews
Existing Mayhem botnet malware kit now includes Shellshock exploit -- and experts say that'll be the model for more enterprising criminals.
By Ericka Chickowski Contributing Writer, Dark Reading, 10/13/2014
Comment3 comments  |  Read  |  Post a Comment
Yahoo Server Hack: Shellshocked Or Not?
Ericka Chickowski, Contributing Writer, Dark ReadingNews
Yahoo goes on the record to state that an attack over the weekend was not related to Shellshock, but an independent researcher insists the Bash bug is rearing its head on Yahoo infrastructure.
By Ericka Chickowski Contributing Writer, Dark Reading, 10/7/2014
Comment1 Comment  |  Read  |  Post a Comment
FDA Delivers Medical Device Security Guidelines
Alison Diana, Senior EditorCommentary
As the FDA attempts to bolster the security of medical devices, some experts warn that guidance is too little, too late.
By Alison Diana Senior Editor, 10/3/2014
Comment0 comments  |  Read  |  Post a Comment
Cloud Suppliers Quickly Patched Xen Bug
Charles Babcock, Editor At Large, InformationWeek Commentary
Amazon was fastest off the starting blocks to patch the Xen hypervisor bug; Rackspace and IBM SoftLayer soon followed.
By Charles Babcock Editor At Large, InformationWeek , 10/3/2014
Comment5 comments  |  Read  |  Post a Comment
Software Assurance: Time to Raise the Bar on Static Analysis
Kevin E. Greene, Software Assurance Program Manager, Department of Homeland Security Science & Technology DirectorateCommentary
The results from tools studies suggest that using multiple tools together can produce more powerful analytics and more accurate results.
By Kevin E. Greene Software Assurance Program Manager, Department of Homeland Security Science & Technology Directorate, 9/30/2014
Comment8 comments  |  Read  |  Post a Comment
Shellshock's Threat To Healthcare
Mac McMillan, CEO, CynergisTekCommentary
The Bash bug is everywhere, including in medical devices. The industry must be better prepared to protect itself and patients.
By Mac McMillan CEO, CynergisTek, 9/29/2014
Comment2 comments  |  Read  |  Post a Comment
Shellshock Bug: 6 Key Facts
Thomas Claburn, Editor-at-LargeCommentary
The Shellshock bug could do more damage than the recent Heartbleed bug. Here's what you need to know.
By Thomas Claburn Editor-at-Large, 9/27/2014
Comment7 comments  |  Read  |  Post a Comment
Amazon Reboots Cloud Servers, Xen Bug Blamed
Charles Babcock, Editor At Large, InformationWeek Commentary
Amazon tells customers it has to patch and reboot 10% of its EC2 cloud servers before Oct. 1.
By Charles Babcock Editor At Large, InformationWeek , 9/26/2014
Comment4 comments  |  Read  |  Post a Comment
New CVE Naming Convention Could Break Vulnerability Management
Ericka Chickowski, Contributing Writer, Dark ReadingNews
MITRE sets deadline for releasing new CVEs with different ID format syntax, regardless of how many vulnerabilities we see in 2014.
By Ericka Chickowski Contributing Writer, Dark Reading, 9/16/2014
Comment0 comments  |  Read  |  Post a Comment
HealthCare.gov Breach: The Ripple Effect
Alison Diana, Senior EditorCommentary
Hackers breached a HealthCare.gov test server, reportedly affecting no records, but the repercussions could spread across many medical organizations.
By Alison Diana Senior Editor, 9/6/2014
Comment18 comments  |  Read  |  Post a Comment
Secure The Core: Advice For Agencies Under Attack
Vijay Basani, CEO, EiQ NetworksCommentary
When facing state-sponsored attacks, perimeter security is never enough.
By Vijay Basani CEO, EiQ Networks, 9/3/2014
Comment2 comments  |  Read  |  Post a Comment
Online Tools For Bug Disclosure Abound
Kelly Jackson Higgins, Executive Editor at Dark ReadingNews
What's driving the bounty of software vulnerability disclosure offerings today from Bugcrowd, HackerOne, and Synack.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 8/26/2014
Comment4 comments  |  Read  |  Post a Comment
When Big Data & Infants' Privacy Collide
Alison Diana, Senior EditorCommentary
Technology allows researchers to discover newborns' genetic secrets, but the long-term repercussions worry some parents and privacy advocates.
By Alison Diana Senior Editor, 8/25/2014
Comment16 comments  |  Read  |  Post a Comment
All In For The Coming World of 'Things'
Don Bailey, Founder & CEO, Lab Mouse SecurityCommentary
At a Black Hat round table, experts discuss the strategies necessary to lock down the Internet of Things, the most game-changing concept in Internet history.
By Don Bailey Founder & CEO, Lab Mouse Security, 8/25/2014
Comment6 comments  |  Read  |  Post a Comment
More Stories
Current Conversations
More Conversations
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2021
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

CVE-2014-3604
Published: 2014-10-24
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2014-6230
Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

CVE-2014-6251
Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

CVE-2014-7180
Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.