A study that analyzed the top 54 open source projects found that security vulnerabilities in these tools doubled in 2019, going from 421 bugs reported in 2018 to 968 last year. According to RiskSense's "The Dark Reality of Open Source" report, released today, the company found 2,694 bugs reported in popular open source projects between 2015 and March 2020. The report didn't include projects like Linux, WordPress, Drupal, and other super-popular free tools, since these projects are often monitored, and security bugs make the news, ensuring most of these security issues get patched fairly quickly. Instead, RiskSense looked at other popular open source projects that aren't as well known but broadly adopted by the tech and software community. This included tools like Jenkins, MongoDB, Elasticsearch, Chef, GitLab, Spark, Puppet, and others. RiskSense says that one of the main problems they found during their study was that a large number of the security bugs they analyzed had been reported to the National Vulnerability Database (NVD) many weeks after they've been publicly disclosed.
Microsoft has fixed a critical security vulnerability affecting all supported versions of Windows. The company said in a security advisory that all users of Windows 10 and earlier should patch as soon as possible to prevent attackers from exploiting a flaw in how the operating system handles graphics and fonts. The patch fixes four separate vulnerabilities -- the worst of which could let an attacker install malware on an affected computer. The flaw is not thought to have been actively exploited in the wild, the company said. It's the fourth patch so far this year that's affected every supported versions of Windows.
Security researchers found a remotely exploitable critical vulnerability in a building management system used by businesses, hospitals, factories and other organizations to control things like ventilation, temperature, humidity, air pressure, lighting, secure doors and more. The vendor has released a firmware update, but hundreds of these systems are still exposed on the internet, highlighting the risks of remote management for ICS devices. The vulnerability, tracked as CVE-2019-9569, was discovered by researchers from security firm McAfee and affects enteliBUS Manager (eBMGR), a control system that can be used to manage different I/O switches connected to things like sensors, alarms, motors, locks, valves and other industrial equipment. The system can also serve as a router for linking multiple Building Automation Control Network (BACnet) segments.
IoT is top of mind for many business leaders today. While executives continually hear about the proliferation of IoT-enabled devices, what's really driving their interest is how these technologies can be applied and the benefits they can deliver for their businesses. In virtually every industry, IoT can have an impact. These are just a few examples of IoT's potential. While executives may understand the opportunity, they're also concerned about the pitfalls involved with implementing an IoT strategy, mainly security.
Nintendo has decided to include the Switch to its bounty program that it launched with HackerOne late last year for the 3DS. The Japanese company is now willing to pay up to $20,000 to people who could report and prove security flaws and vulnerabilities on its new console. It was recently found out that HackerOne bounty program has actually been expanded to include the Nintendo Switch since last month. What this basically means is users can now submit reports regarding system flaws that could potentially endanger players in general. When these flaws are proven to be existent, Nintendo will pay the people who spotted this vulnerability with a bounty ranging from $100 to $20,000, depending on the severity of the problem and other factors.