Search This Blog

Showing posts with label Secunia. Show all posts

Secunia and VLC get into Fight over Vulnerability report


Secunia and VLC Team got into a hot argument after Secunia set the patch status of their VLC vulnerability report to "UnPatched".

At the end of last year, Secunia team reported a vulnerability(SA51464) in VLC version 2.x. The root cause of the vulnerability lies in the underlying FFmpeg library, which VLC statically links to. It was reported that the vulnerability was caused due to a buffer overflow issue when parsing SWF files, which was incorrect. (as Secunia Reports)

When the VLC team came to know about the issue they tried to fix it but they missed the root cause and didnot solve the core problem. They released the next VLC version and claimed it to be safe but this was not the case as said by Secunia team. The VLC team kept on releasing the version from 2.0.5 to 2.0.7 and claimed that the vulnerability was fixed.

When after the release of version 2.0.6 Secunia team still reported the vulnerability unpatched , VLC approached Secunia and threatened to take legal action, as the Secunia team says- " On May 21st, 2013, the VLC team contacted us after office hours and threatened us with legal action if we did not update Secunia Advisory SA51464 and changed its patch status within 24 hours of sending the email."

Secunia team did not sit down hand in hand even after that. The team says-"We conducted further analysis after we updated our advisory and concluded that the issue is exploitable even in the newly released version 2.0.7. We have therefore updated our advisory and set the patch status of Secunia Advisory SA51464 to unpatched. Any future legal action from the VLC team will be dealt with accordingly. "

Later he vulnerability was fixed in the version 2.1.0. One of the member of VLC commented on REDDIT-"Of course there was a bug! Thanks for reporting. The issue has been properly fixed in 2.1.0. If the backport hasn't been done to 2.0 it's my responsibility, since it was late, I procrastinated it and then it slipped out of my mind due to real life contingencies. For that I apologize to our users and the rest of the team that has to deal with this drama."

Well the vulnerability is reported to be fixed in the version 2.1.0 as reported by the VLC as well as Secunia team but this seemed to be a good session of arguments.

Author: Shalini Bhushan 

Secunia apologises after accidentally disclosing zero-day vulnerability on public mailing list



Secunia, an international IT Security firm specialized in vulnerability management , has apologized after an unpatched zero-day vulnerability was accidentally sent to a public mailing list.

The story published yesterday by Security Week revealed the mistake Secunia made while forwarding the a zero-day details within an image viewing app. The email was supposed to be addressed to the vuln address at Secunia.  However the auto-fill mistake address sent the details to the vim[at]attrition.org.

"While coordinating with the researcher, one email was accidentally sent from Secunia to a public emailing list, thereby making information about one of the vulnerabilities publically available." Secunia commented on the disclosed vulnerability.

"Upon realizing the mistake, Secunia immediately informed the vendor in question, who is currently working to create a patch for the vulnerability. Secunia is going through all procedures to ensure that this cannot happen in future. " 

Secunia partnered with MS-ISAC to Provide Vulnerability and Patch Management to US State and Local Governments


Secunia, the leading provider of vulnerability intelligence and vulnerability management solutions, today announced a new partnership with the Center for Internet Security, Multi-State Information Sharing and Analysis Center (MS-ISAC) division, the cyber security focal point for US state, local, territorial and tribal (SLTT) governments.

The collaboration between Secunia and the MS-ISAC provides (SLTT) governments with solutions for enhancing their vulnerability and patch management efforts, enabling them to further strengthen their defences against the increasingly complex cyber security challenges they face.

With this new agreement, the MS-ISAC members can get discounted access to the Secunia Corporate Software Inspector (CSI), which is an end-to-end solution for vulnerability and patch management, tying patch detection to patch distribution.

" The cyber challenges facing our SLTT governments are daunting and the need for cost-effective solutions to help meet those challenges has never been greater.  This partnership is an excellent example of the public-private sector collaboration necessary to protect our critical infrastructure assets from cyber security threats. " said William F. Pelgrin, President and CEO of the Center for Internet Security and Chair of the MS-ISAC. "We look forward to similar opportunities to engage with additional top-tier security vendors in helping secure our nation’s SLTT governments through our newest division, the Trusted Cyber Security Purchasing Alliance (alliance.cisecurity.org)." 


“We are looking forward to commencing the collaboration, and supporting the MS-ISAC members, who with the Secunia CSI will be empowered to deal with the root cause, the vulnerabilities”,  said Thomas Zeihlund, CEO, Secunia. “The Secunia CSI will have a direct, positive impact on the effectiveness and timeliness of the members’ patch management operations, providing transparency into what is posing a security threat to their organisation so that they can target and prioritise their resources and efforts.”