vulnerability

A vulnerability or a bug is a weakness in a system or device that can be exploited to allow unauthorized access, elevation of privileges or denial of service. A tool used to attack a vulnerability is called an exploit.

All disclosed vulnerabilities are shared at the National Vulnerability Database (NVD) and enumerated in the Common Vulnerabilities and Exposures (CVE) List to make it easier to share data across separate vulnerability capabilities.

Recent Notable Vulnerabilities

Date

Vulnerability

Details

Mar 2016

DROWN

A vulnerability that affects HTTPS and other services that rely on SSL and TLS

Jan 2016

Linux flaw

A cross-site scripting (XSS) vulnerability found in the WordPress plug-in Jetpack, putting more than a million websites at risk of getting their administrator accounts hijacked

Mar 2016

Jetpack flaw

A cross-site scripting (XSS) vulnerability found in the WordPress plug-in Jetpack, putting more than a million websites at risk of getting their administrator accounts hijacked

July 2015

Stagefright

An Android vulnerability which could be used to install malware on a device via a simple multimedia message

May 2015

LogJam

A vulnerability that affects the Diffie-Hellman key exchange

Mar 2015

FREAK

A vulnerability that forces a secure connection to use weaker encryption, making it easy for cybercriminals to decrypt sensitive information

Oct 2014

Poodle

A vulnerability in Secure Sockets Layer (SSL) version 3.0

Sep 2014

Shellshock

Affects a vulnerability in the Bash shell, a user interface that uses a command-line interface to access an operating system’s services

Apr 2014

Heartbleed

A vulnerability in the popular OpenSSL cryptographic software library used by many web sites and other applications like email, instant messaging, and VPNs

Top 10 Products with Most Vulnerabilities of All Time (As of July 2016)

Product Name

Vendor Name

Product Type

# of Vulnerabilities

Mac Os X

Apple

OS

1600

Linux Kernel

Linux

OS

1461

Firefox

Mozilla

Application

1391

Chrome

Google

Application

1315

Iphone Os

Apple

OS

919

Flash Player

Adobe

Application

892

Internet Explorer

Microsoft

Application

776

Windows Xp

Microsoft

OS

726

Windows Server 2008

Microsoft

OS

705

Thunderbird

Mozilla

Application

703

Responsible Vulnerability Disclosure

Responsible vulnerability disclosure involves informing companies of the vulnerabilities discovered in their products. This allows organizations time to release a fix before the vulnerability is disclosed to the general public.

However, if the vulnerability is used in the wild before any disclosure is made, Trend Micro believes that it is our duty to release more details right away. In the case of the Hacking Team leak, Trend Micro warned users that the data dumps included zero-day vulnerabilities that were being used in exploits kits, and provided information on how users could protect themselves.

Related terms : Exploit, Zero-day exploit, Zero-day vulnerability, virtual patching, exploit kit

Related papers/primers :

Monitoring Vulnerabilities: Are your Servers Exploit-Proof?

Virtual Patching in Mixed Environments: How It Works To Protect You

Related infographics :

Shellshock Vulnerability: The Basics of the “Bash Bug”

Stop threats dead in their tracks/Blackhole Exploit Kit

Dodging a Compromise: A Peek at Exposure Gaps

The Internet of Everything: Layers, Protocols and Possible AttacksLinks :

https://www.sans.org/reading-room/whitepapers/threats/define-responsible-disclosure-932

http://blog.trendmicro.com/trendlabs-security-intelligence/why-vulnerability-research-is-a-good-thing/
Products:
Trend Micro™ Vulnerability Protection, Trend Micro Browser Guard, Trend Micro™ Deep Security