At the endless booths of this week's RSA security trade show in San Francisco, an overflowing industry of vendors will offer any visitor an ad nauseam array of "threat intelligence" and "vulnerability management" systems. But it turns out that there's already a decent, free feed of vulnerability information that can tell systems administrators what bugs they really need to patch, updated 24/7: Twitter. And one group of researchers has not only measured the value of Twitter's stream of bug data but is also building a piece of free software that automatically tracks it to pull out hackable software flaws and rate their severity. Researchers at Ohio State University, the security company FireEye, and research firm Leidos last week published a paper describing a new system that reads millions of tweets for mentions of software security vulnerabilities, and then, using their machine-learning-trained algorithm, assessed how much of a threat they represent based on how they're described. They found that Twitter can not only predict the majority of security flaws that will show up days later on the National Vulnerability Database--the official register of security vulnerabilities tracked by the National Institute of Standards and Technology--but that they could also use natural language processing to roughly predict which of those vulnerabilities will be given a "high" or "critical" severity rating with better than 80 percent accuracy.
A team of researchers from R&D company Draper and Boston University developed a new large-scale vulnerability detection system using machine learning algorithms, which could help to discover software vulnerabilities faster and more efficiently. Hackers and malicious users are constantly coming up with new ways to compromise IT systems and applications, typically by exploiting software security vulnerabilities. Software vulnerabilities are small errors made by the programmers who developed a system that can propagate quickly, especially through open-source software or through code reuse and adaptation. Every year, thousands of these vulnerabilities are publicly reported to the Common Vulnerabilities and Exposures database (CVE), while many others are spotted and patched internally by developers. If they are not adequately addressed, these vulnerabilities can be exploited by attackers, often with devastating effects, as proved in many recent high-profile exploits, such as the Heartbleed bug and the WannaCry ramsomware cryptoworm.
Google has rolled out patches for an Android wireless network vulnerability. The search giant released the fix for the so-called KRACK vulnerability, which if exploited could have let a sophisticated hacker decrypt Wi-Fi traffic, hijack connections, perform man-in-the-middle attacks, and eavesdrop on communication sent from an affected device. Mathy Vanhoef, a computer security academic, who found the flaw, singled out Android, calling the security issue "exceptionally devastating" for devices running Android 6.0 and later. Several other security fixes were rolled into the update package, including 22 high-rated bugs and 10 critical bugs. Apple released its security fix for KRACK last week.
Microsoft issued 95 security fixes Tuesday as part of its weekly Patch Tuesday efforts, including two major vulnerabilities that were at risk of being exploited by hacking tools stolen from the U.S. National Security Agency. The two most critical fixes addressed by the computing giant included a Windows Search Remote Code Execution Vulnerability identified as CVE-2017-8543 and an LNK Remote Code Execution Vulnerability identified as CVE-2017-8464. The Windows Search Remote Code Execution Vulnerability was considered the more serious of the two issues as it allowed an attacker to target the Windows Search Service, a feature that allows users to perform a search across multiple Windows services and clients on a network. "In an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB [sever message block] connection and then take control of a target computer," a security bulletin published by Microsoft said. Windows Server 2016, 2012 and 2008, as well as desktop operating systems like Windows 10, 7 and 8.1, all were vulnerable to the attack and will be protected by the company's recent patch.