6 Feb 2015 at 12:05, John Leyden
Media hype is affecting vendors’ patching strategies to the detriment of internet security, vulnerability management firm Secunia warns.
The high-profile Heartbleed OpenSSL vulnerability triggered the mass patching of 600 products by more than 100 vendors within just 40 days. A further OpenSSL vulnerability from June 2014 led to a patch for 800 affected products. Yet a third Open SSL vulnerability in August lead to a patch of just 75 products.
Kasper Lindgaard, Secunia's director of research and security, told El Reg that although there were differences between the August vulnerability and Heartbleed, the flaws were of comparable severity. At least 200 products were affected by the August vulnerability but only 75 were actually patched within a month or so. The inference is that because no one was shouting from the rooftops about the latter, nothing got done.
Heartbleed, which surfaced in April 2014, although easy to exploit, was only ever an information disclosure flaw. One of the latter flaws actually represented a more severe code execution risk.
Lindgaard commented: "Heartbleed was the best publicity a single vulnerability has ever received. However, corporate security teams need to be aware of all vulnerabilities, not just those with a catchy name.
full article
Be the first to reply!
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.