Update now: Don't ignore major security patches, HIMSS report says
Do you know what a “directory traversal” vulnerability is? Also dubbed a path traversal, this infosec issue enables attackers who penetrate a web app to hop around directories and read the contents of files on the victim machine, not just in the app itself.
It’s a type of flaw that IBM just disclosed in its WebSphere Portal software and subsequently issued a fix to plug. If you’re running a vulnerable iteration of WebSphere Portal, apply that fix immediately.
And while you’re at it, Apple, Mozilla and Apache also have fresh patches, according to the HIMSS Healthcare Cross-Sector Cyber Security Report for September 2017.
“The specific overarching theme in this month’s report is on newer technologies: web and mobile, especially web,” Lee Kim, HIMSS’ director of privacy and security said. “These technologies can be ‘open doors’ to hackers.”
Indeed, the Mozilla Foundation posted security updates for a critical flaw via which take control of a system running Firefox ESR 52.4 and Firefox 56. Apple, for its part, released iOS 11.0.1 to close holes hackers could slip through to take over a machine. Also on the open source front, the Apache Foundation is circulating a fix for the Struts 2 infosec gap that attackers used in the Equifax breach.
"Don’t be complacent about the security of your website or your mobile devices. They are hackable."
Lee Kim, HIMSS’ director of privacy and security
Two more fixes to know about now concern SQL injection issues and a NodeJS debugger. The SQL injection was identified in the Mojoomla Hospital Management System for WordPress. SQL injection exploits are common, the HIMSS report noted, and this one is written in PHP and easy enough for hackers to test and use. A NodeJS debugger command injection exploit was publicly released, meaning nefarious hackers could use to execute commands or queries.
An interesting twist in this month’s report: It turns out that healthcare is merely fifth on the list of industries when ranked by annual cost of cybercrime. Healthcare hit $12.47 million while financial services is $18.28 million. Energy, aerospace and software/technology fell between healthcare and financial services, according to research Accenture and Ponemon Institute conducted that Lee referenced in the HIMSS report.
Just don’t let that tempt you into resting easy with that security strategy.
“Don’t be complacent about the security of your website or your mobile devices. They are hackable,” Kim said. “Don’t wait to patch. These vulnerabilities are exploitable and you need to patch now. These problems just won’t go away if you ignore them.”