On January 14, Microsoft issued a statement acknowledging a crucial security flaw within its Windows 10 operating systems. Reported by the National Security Agency (NSA), the security flaw is a failure in the Windows 10 CryptoAPI service. This flaw affects both Windows 10 and Windows Server Update systems.
The API allows developers to sign their programs digitally. This shows that the program comes from an accredited source and is free from tampering. The vulnerability would allow for hackers to easily spoof digital signatures. This lets their websites and software appear legitimate to Microsoft authentication checks, creating a breach of trust.
Source: Windows Server Update Services at SoftwareReviews, Report Published April 2019
A bug in Microsoft’s core computing processes is concerning. The API should not allow the altering of digital signatures. As a result, executable programs that are downloaded under the pretense of being a normal update may be used to Trojan in harmful software. “This is a core, low-level piece of the Windows operating system and one that establishes trust between administrators, regular users, and other computers on both the local network and the internet,” says Kenn White, security principal at MongoDB. Kenn furthered this by stating, “If the technology that ensures that trust is vulnerable, there could be catastrophic consequences.”
Windows 10 is the most commonly deployed desktop operating system in use today. This security flaw affects any device that operates using Windows 10 or one of the Windows server systems. This includes devices operated by the government, small and large businesses, healthcare providers, and core infrastructure. The API flaw in Windows 10 has the potential to affect millions of people worldwide. We’ve seen the use of this type of spoofing before in the Stuxnet virus to disastrous effect. Microsoft has developed an emergency patch for download to prevent the abuse of its security flaws. It’s recommended that any users of either Windows 10 or Windows Server Update Service update their devices immediately to the latest patch.
By exploiting a five-year-old configuration error, a hacker was able to access Amazon’s S3 cloud storage buckets on which Twilio’s code was loaded. As a result, customers were able to unknowingly download the modified code for twenty-four hours.
Qualys VMDR and Ivanti have announced a new partnership dedicated to improving the detection and patching of vulnerabilities. Announced July 30, the Qualys and Ivanti Partnership have already gone live as an integrated component of the VMDR solution.
Microsoft recently previewed the specific features to tackle data security and risk management for end users with Microsoft Endpoint Data Loss Prevention (DLP) and Double Key Encryption. The reason for the launch? The increasing shift towards a remote work environment and a need to mitigate the accompanying risks.
IBM is changing the terms of its ubiquitous Passport Advantage agreement to remove entitled discounts on over 5,000 on-premises software products, resulting in an immediate price increase for IBM Software & Support (S&S) across its vast customer landscape.
RiskSense announced on July 13 its new version of the cloud-delivered RiskSense risk management platform. The main draw of the program is its holistic risk calculation across CVEs and CWEs.
To bolster and broaden its data privacy capabilities for end users, cyber and data protection vendor Acronis has acquired DLP player DeviceLock. The acquisition aligns with the increasingly prevalent role that data privacy plays in cybersecurity.
Cyberthreats are omnipresent for any enterprise. Monitoring ingress and egress points while still conducting business is a balance security professionals attempt to strike. Couple this with the continued security issues around remote work during the pandemic, and security teams have their hands full.
Navigating the vendor risk management space, particularly in the current environment that consists of a mix of cloud, managed services, and critical supply chain, is key to ensuring that you don’t inadvertently introduce new risks through this dynamic channel.
On May 26, Kenna Security released its new Prioritization to Prediction Benchmark Survey. This free tool provides organizations with the ability to compare their vulnerability management programs to industry averages Kenna Security has compiled over the years.