On Pace To Break 20k Mark For Disclosed Vulnerabilities

The number of vulnerabilities through Q3 of 2018, though significant and on track to be over 20,000, is down from the same time last year and will likely fall short of the record-breaking 2017 year end numbers of more than 22,000 disclosed vulnerabilities, according to Risk Based Security. Today, Risk Based Security announced the public […]

New libssh Vulnerability – No Logo But Plenty Of Attention

Earlier this week, Andreas Schneider announced the release of a new version of libssh, covering “an important security” that addressed “an authentication bypass vulnerability in the server code”. Pretty quickly we saw several news articles published that covered this issue, as well as third-party blogs that added commentary on the technical side of the vulnerability. […]

Getting To Know Your Electronic Voting Machine. Friend Or Foe?

In April 2016, we published a blog on electronic voting machine (EVM) vulnerabilities titled “To date, Risk Based Security has cataloged over 260 vulnerabilities in electronic voting machines.” Today, that number stands at 292. With the midterm elections coming up, the topic of voter influence, foreign meddling, and EVM security is back in the news, including another […]

Pay No Attention To The Vulnerabilities Behind The Curtain

For years, Microsoft’s Patch Tuesday is something that all IT professionals (not just security practitioners) have dreaded. Since the practice was introduced in October 2003 to reduce the cost of distributing patches, it has become a point of consistency in patch cycles, and the source of grumbling because it often requires a full day or […]

Apache Struts Distraction Continues While Over 600 Additional Vulnerabilities Have Been Released

While everyone has been heavily focused on, or we could say distracted by, the recent Apache Struts vulnerability, the steady flow of additional vulnerabilities being disclosed continues. As we recently pointed out, the flood of vulnerabilities is not letting up this year. They range from the fairly mundane that likely affects few people, to ones […]

Thoughts On The NTIA Software Component Transparency Meeting

I was able to attend the NTIA meeting on Software Component Transparency on July 19th, 2018 hosted in Washington, D.C. at the American Institute of Architects. The meeting was webcast and might eventually be published for others to watch in the future. This was our first time attending (though we really should have been at […]

Watch Out! Another Nasty Apache Struts Vulnerability Has Been Disclosed!

Here we go again! Today, a brand new Apache Struts vulnerability (CVE 2018-11776) has been disclosed that can result in remote code execution. Sure, the patch is out there, but this one is a CVSSv2 10.0 or “Critical” issue which for many organization this should mean it is a full stop, all hands on deck […]

Our Reports Clickbait? No. Click Here To Find Out Why…

Last week, we published our 2018 mid-year report that included an overview of the vulnerabilities that we have tracked and included in VulnDB. We highlighted a key takeaway from the report in the title: “Over 3,000 [vulnerabilities] You May Not Know About”. This statement is based on our aggregation of over three thousand vulnerabilities in […]

More Than 10,000 Vulnerabilities Disclosed So Far In 2018 – Over 3,000 You May Not Know About

Risk Based Security today announced the release of its 2018 Mid Year VulnDB QuickView report that shows there have been 10,644 vulnerabilities disclosed through June 30th. This is the highest number of disclosed vulnerabilities at the mid-year point on record. The 10,644 vulnerabilities cataloged during the first half of 2018 by Risk Based Security’s research […]

The Great (belated) Mozilla Firefox CVE Dump

On June 11th, MITRE published descriptions and references for 318 entries, all  relating to Mozilla Firefox. Yes; three hundred and eighteen entries. It may be tempting to think Mozilla was holding back on disclosures or there was a flurry of research activity leading to a slew of new vulnerabilities being discovered. But no, this would […]