Here are two critical patches you don't want your organization to miss because:
- they are Zero-Day vulnerabilities,
- and the vulnerabilities are being exploited in the wild right now.
#1: Critical patch for Oracle WebLogic servers
The first critical patch is for Oracle customers. Security researchers discovered an Oracle WebLogic Server Zero-Day over the weekend that is being exploited in the wild.
Oracle issued a security alert today:
"Oracle has just released Security Alert CVE-2019-2729. This vulnerability affects a number of versions of Oracle WebLogic Server.
This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password."
John Heimann, Oracle's VP of Security Program Management, says this is similar to the deserialization vulnerability that made big news in April.
However, it is a distinct vulnerability which is ranked a 9.8 out of 10 because of the risk it poses for customers.
#2: Critical patch for Mozilla Firefox
Mozilla also issued a critical patch alert and has a fix for Firefox 67.0.3 and Firefox ESR 60.7.1:
"A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw."
Is patching a failed security paradigm?
We don't normally do "patch by patch" coverage here at SecureWorld.
We did, however, interview Bruce Schneier at SecureWorld Boston on the topic of patching.
He calls it a "failed security paradigm that is near the end of its useful life." He explains here:
