Vulnerabilities / Threats // Vulnerability Management
News & Commentary
USPS Played Cat And Mouse With Cyber Attacker
Jai Vijayan, Freelance writerNews
Postal Service takes restrained, methodical approach to cyberattack. Was this the right strategy?
By Jai Vijayan Freelance writer, 11/24/2014
Comment1 Comment  |  Read  |  Post a Comment
Deconstructing the Cyber Kill Chain
Giora Engel, VP Product & Strategy, LightCyberCommentary
As sexy as it is, the Cyber Kill Chain model can actually be detrimental to network security because it reinforces old-school, perimeter-focused, malware-prevention thinking.
By Giora Engel VP Product & Strategy, LightCyber, 11/18/2014
Comment4 comments  |  Read  |  Post a Comment
Microsoft Fixes Critical SChannel & OLE Bugs, But No Patches For XP
Sara Peters, Senior Editor at Dark ReadingNews
No patches released for the now-unsupported XP even though the 19-year-old OLE bug is critical and "Winshock" bug in Windows' SSL/TLS installation could be worse than Heartbleed.
By Sara Peters Senior Editor at Dark Reading, 11/14/2014
Comment20 comments  |  Read  |  Post a Comment
Time To Turn The Tables On Attackers
Amit Yoran, President, RSACommentary
As a security industry, we need to arm business with innovative technologies that provide visibility, analysis, and action to prevent inevitable breaches from causing irreparable damage.
By Amit Yoran President, RSA, 11/13/2014
Comment5 comments  |  Read  |  Post a Comment
What Scares Me About Healthcare & Electric Power Security
John B. Dickson, CISSP,  Principal, Denim GroupCommentary
Both industries share many of the same issues as enterprises. But they also have a risk profile that makes them singularly unprepared for sophisticated threats
By John B. Dickson CISSP, Principal, Denim Group, 10/28/2014
Comment16 comments  |  Read  |  Post a Comment
Poll: Patching Is Primary Response to Shellshock
Marilyn Cohodas, Community Editor, Dark ReadingCommentary
As potential threats mount, Dark Reading community members home in on patching infrastructure but not devices, according to our latest poll.
By Marilyn Cohodas Community Editor, Dark Reading, 10/24/2014
Comment11 comments  |  Read  |  Post a Comment
3 Enterprise Security Tenets To Take Personally
David Fowler, VP Marketing, INetUCommentary
Individuals need to become conscious advocates for their own security -- after all, no one cares about your data like you do.
By David Fowler VP Marketing, INetU, 10/24/2014
Comment4 comments  |  Read  |  Post a Comment
Insecure Protocol Puts 1.2M SOHO Devices At Risk
Ericka Chickowski, Contributing Writer, Dark ReadingNews
Enterprises should take care to prohibit NAT-PMP traffic on untrusted network interfaces.
By Ericka Chickowski Contributing Writer, Dark Reading, 10/22/2014
Comment1 Comment  |  Read  |  Post a Comment
Cyber Threats: Information vs. Intelligence
Matt Hartley, VP Product Management, iSIGHT PartnersCommentary
Cyber threat intelligence or CTI is touted to be the next big thing in InfoSec. But does it narrow the security problem or compound it?
By Matt Hartley VP Product Management, iSIGHT Partners, 10/22/2014
Comment2 comments  |  Read  |  Post a Comment
'POODLE' Attacks, Kills Off SSL 3.0
Kelly Jackson Higgins, Executive Editor at Dark ReadingNews
A newly discovered design flaw in an older version of SSL encryption protocol could be used for man-in-the-middle attacks -- leading some browser vendors to remove SSL 3.0 for good.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 10/15/2014
Comment9 comments  |  Read  |  Post a Comment
Third-Party Code: Fertile Ground For Malware
Peter Zavlaris, Analyst, RiskIQCommentary
How big-brand corporate websites are becoming a popular method for mass distribution of exploit kits on vulnerable computers.
By Peter Zavlaris Analyst, RiskIQ, 10/15/2014
Comment7 comments  |  Read  |  Post a Comment
Shellshock Mayhem Marks The Start Of Malware Mess
Ericka Chickowski, Contributing Writer, Dark ReadingNews
Existing Mayhem botnet malware kit now includes Shellshock exploit -- and experts say that'll be the model for more enterprising criminals.
By Ericka Chickowski Contributing Writer, Dark Reading, 10/13/2014
Comment3 comments  |  Read  |  Post a Comment
Yahoo Server Hack: Shellshocked Or Not?
Ericka Chickowski, Contributing Writer, Dark ReadingNews
Yahoo goes on the record to state that an attack over the weekend was not related to Shellshock, but an independent researcher insists the Bash bug is rearing its head on Yahoo infrastructure.
By Ericka Chickowski Contributing Writer, Dark Reading, 10/7/2014
Comment1 Comment  |  Read  |  Post a Comment
FDA Delivers Medical Device Security Guidelines
Alison Diana, Senior EditorNews
As the FDA attempts to bolster the security of medical devices, some experts warn that guidance is too little, too late.
By Alison Diana Senior Editor, 10/3/2014
Comment0 comments  |  Read  |  Post a Comment
Cloud Suppliers Quickly Patched Xen Bug
Charles Babcock, Editor At Large, InformationWeek News
Amazon was fastest off the starting blocks to patch the Xen hypervisor bug; Rackspace and IBM SoftLayer soon followed.
By Charles Babcock Editor At Large, InformationWeek , 10/3/2014
Comment5 comments  |  Read  |  Post a Comment
Software Assurance: Time to Raise the Bar on Static Analysis
Kevin E. Greene, Software Assurance Program Manager, Department of Homeland Security Science & Technology DirectorateCommentary
The results from tools studies suggest that using multiple tools together can produce more powerful analytics and more accurate results.
By Kevin E. Greene Software Assurance Program Manager, Department of Homeland Security Science & Technology Directorate, 9/30/2014
Comment8 comments  |  Read  |  Post a Comment
Shellshock's Threat To Healthcare
Mac McMillan, CEO, CynergisTekCommentary
The Bash bug is everywhere, including in medical devices. The industry must be better prepared to protect itself and patients.
By Mac McMillan CEO, CynergisTek, 9/29/2014
Comment2 comments  |  Read  |  Post a Comment
Shellshock Bug: 6 Key Facts
Thomas Claburn, Editor-at-LargeNews
The Shellshock bug could do more damage than the recent Heartbleed bug. Here's what you need to know.
By Thomas Claburn Editor-at-Large, 9/27/2014
Comment7 comments  |  Read  |  Post a Comment
Amazon Reboots Cloud Servers, Xen Bug Blamed
Charles Babcock, Editor At Large, InformationWeek News
Amazon tells customers it has to patch and reboot 10% of its EC2 cloud servers before Oct. 1.
By Charles Babcock Editor At Large, InformationWeek , 9/26/2014
Comment4 comments  |  Read  |  Post a Comment
New CVE Naming Convention Could Break Vulnerability Management
Ericka Chickowski, Contributing Writer, Dark ReadingNews
MITRE sets deadline for releasing new CVEs with different ID format syntax, regardless of how many vulnerabilities we see in 2014.
By Ericka Chickowski Contributing Writer, Dark Reading, 9/16/2014
Comment0 comments  |  Read  |  Post a Comment
More Stories
Current Conversations
Posted by ODA155
Current Conversations Did they fix it for free?
In reply to: Re: XP
Post Your Own Reply
More Conversations
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-5312
Published: 2014-11-24
Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.

CVE-2012-6662
Published: 2014-11-24
Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo.

CVE-2014-1424
Published: 2014-11-24
apparmor_parser in the apparmor package before 2.8.95~2430-0ubuntu5.1 in Ubuntu 14.04 allows attackers to bypass AppArmor policies via unspecified vectors, related to a "miscompilation flaw."

CVE-2014-7817
Published: 2014-11-24
The wordexp function in GNU C Library (aka glibc) 2.21 does not enforce the WRDE_NOCMD flag, which allows context-dependent attackers to execute arbitrary commands, as demonstrated by input containing "$((`...`))".

CVE-2014-7821
Published: 2014-11-24
OpenStack Neutron before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service (crash) via a crafted dns_nameservers value in the DNS configuration.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?