50 minutes | Nov 13th 2020

Benchmarks and You: Making the Right Match

On this episode, we talk about November Patch Tuesday - Satnam highlights some of the vulnerabilities and we discuss the new, limited format for the advisories from Microsoft. Our guest this month is Grant Dobbe who gives us a crash course on compliance benchmarks and how to pick the right one for you. The key lesson: don’t try to put a jet engine on a Cessna.

Show References:
Government Agencies Warn of State-Sponsored Actors Exploiting Publicly Known Vulnerabilities
Webinar: Ramp-Up Your Response to Latest State Sponsored Attacks

Microsoft’s November 2020 Patch Tuesday Addresses 112 CVEs including CVE-2020-17087
CVE-2020-15999, CVE-2020-17087: Google Chrome FreeType and Microsoft Windows Kernel Zero Days Exploited in the Wild
Google patches two more Chrome zero-days
Apple patches iOS against 3 actively exploited 0-days found by Google

Oracle Critical Patch Update for October 2020 Addresses 402 Security Updates
CVE-2020-14882: Oracle WebLogic Remote Code Execution Vulnerability Exploited in the Wild
Oracle Security Alert Advisory - CVE-2020-14750 (Out-of-Band)
CVE-2020-14871: Critical Buffer Overflow in Oracle Solaris Exploited in the Wild as Zero-Day
CVE-2020-27615: SQL Injection Vulnerability in WordPress Loginizer Plugin Affected Over One Million Sites
CVE-2020-16846, CVE-2020-25592: Critical Vulnerabilities in Salt Framework Disclosed

Webinar: How to Unlock the Security Benefits of the CIS Benchmarks
CIS Benchmarks
DISA STIGs
STIG Viewer
Single Check Audits on Github
Github: Audit file for CVE-2020-14871

Tenable Research Podcast Musical References