Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Discovering a blind eye to vulnerabilities

J.F. Rice | April 14, 2015
scanner that doesn’t have the proper permissions is going to miss a lot of vulnerabilities. Why did I have to learn this the hard way?

Last week, I was horrified to discover a problem with my vulnerability scanner. The product I use relies on a user account to connect to our Microsoft Windows servers and workstations to check them for vulnerable versions of software, and that user account had never been configured properly. As a result, the scanner has been blind to a lot of vulnerabilities. And this has been going on for a long time.

I hate to think how much longer I might have remained blind to this problem if I hadn't set out this week to search for a particular set of vulnerabilities inherent in Apple's Safari browser. You see, Apple ended support for its Safari browser on Microsoft Windows a while ago, but I know that some of my users have installed it on their own, and I wanted to find out how many. It worries me because vulnerabilities in Safari for Windows will accumulate indefinitely. That's the last thing I need. In fact, I plan to get rid of Safari entirely, but first I wanted to get some information about how much of a risk it really is.

So I unleashed the vulnerability scanner on the problem. I've been using it for a couple of years now, and it's been helpful in our patching efforts. Once I weed out false positives and prioritize the reported vulnerabilities based on what our various computers are used for (for example, Internet-facing Windows servers have a higher priority than computers on our internal network), I get good, actionable data from the system. I run reports every week and provide them to IT system administrators so they know what security updates to apply. This helps us track the effectiveness of our patching efforts. And patching, thankfully, has been going well lately.

I expected to see a dozen or so computers with Safari on the list. So I was quite surprised when none turned up, especially since I personally know about three Windows computers on my network that run Safari.

I had a bad feeling about Safari's complete absence from the report. I checked again; still no Safari. I scanned the report for the computers I know have Safari installed, and there they were. Some vulnerabilities were listed, but none for Safari. I double-checked to make sure the computers were actually still running Safari, and they were. So what was going on?

Then I looked at the vulnerability scanner itself. Was something not working right? I checked the configuration to see if it was missing any computers or vulnerabilities, but everything looked OK. I looked at the latest scan times, and all the scans seemed to be running fine, right on schedule. Was it getting regular, automatic updates in its vulnerability database from the manufacturer? Yes. I didn't see any application errors or other problems in the system logs.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.