Industry News
Ed Cartier's monthly roundup of industry news
Articles relating to asset management, technology, security and cloud computing

Industry News Roundup

Industry News - Apr 2024

Microsoft Confirms When WordPad Will Be Tossed On The Scrapheap Later This Year With Windows 11 24H2
Microsoft has stated that WordPad will be removed from all editions of Windows starting in Windows 11, version 24H2 and Windows Server 2025. Users will not be able to avoid losing WordPad when the 24H2 update is distributed to Windows 11 systems. The only way for users to keep WordPad is not to take the 24H2 update when it s released. Users can continue to use 23H2 through November 2025 when support will be discontinued. However, Windows 11 24H2 will be a major update, changing the underpinnings of the OS with a new platform, which ushers in performance and security benefits under the hood. IT managers can utilize their IT asset management solution to identify WordPad users and plan a transition to Notepad, which will replace WordPad.
Read More
Apr 2024
Broadcom is removing expired VMware licences from its portal - take action now!
Hot on the heels of Broadcom s announcement of the end of perpetual licences for VMware it has given customers barely a week to download any keys for licenses from its portal with expired support. This is due to Broadcom migrating all licence keys from the VMware portal into its own software management portal.
Read More
Apr 2024
An Onslaught of Security Flaws Pushes Ivanti Into Security Re-Design
According to the open letter, published by CEO, Jeff Abbott, Ivanti is planning a transformation of its security operating model. The effort will include revamping core engineering, security, and vulnerability practices. The letter notes that Ivanti plans to optimize its products for security which includes accelerating the stack modernization of its Network Security products. Critical vulnerabilities include heap overflow (CVE-2024-21894 and CVE-2024-22053), Null Pointer Dereference (CVE-2024-22052), and XML entity expansion or XXE (CVE-2024-22023) flaws. These vulnerabilities coukld allow interaction-less RCE and DoS attacks. The criticality for these flaws ranges from 5.3 to 8.2 CVSS. As a result, the US government agencies took Ivanti VPN products offline as ordered by the US Cybersecurity and Infrastructure Security Agency (CISA).
Read More
Apr 2024
Patch Tuesday: Code Execution Flaws in Multiple Adobe Software Products
The company put the Adobe Commerce vulnerabilities in the critical-severity category. It noted that successful exploitation could result in arbitrary code execution. Adobe also rolled out patches for Adobe Experience Manager (AEM), The Adobe Media Encoder, memory leaks in Adobe After Effects and Adobe Protoshop and Adobe InDesign (Windows and macOS affected); and denial-of-service and code execution issues in the Adobe Animate software. IT managers can utilize their IT asset management tools to identify vulnerable and un-patched systems.
Read More
Apr 2024
Thousands of Ivanti VPN Appliances Impacted by Recent Vulnerability
Shadowserver Foundation researchers recently identified thousands of internet-exposed Ivanti VPN appliances lwhich are impacted by a vulnerability leading to remote code execution. The vulnerability, labeled CVE-2024-21894 (is described as a heap overflow bug in the IPSec component of Ivanti Connect Secure and Policy Secure. The bug can be exploited by remote, unauthenticated attackers to cause a denial-of-service condition or to execute arbitrary code. Ivanti has released software updates to address this flaw and three other vulnerabilities in its two VPN appliances. The patch impacts all supported versions of Connect Secure and Policy Secure. Ivanti has urged all users to update their affected systems.
Read More
Apr 2024
Cisco Warns of Vulnerability in Discontinued Small Business Routers
Cisco has issued a warning about a cross-site scripting (XSS) vulnerability in its end-of-life RV series small business routers. Tracked as CVE-2024-20362 the flaw impacts the small business RV016, RV042, RV042G, RV082, RV320, and RV325 routers. These models have been discontinued and security patches are not published. Cisco has stated that it is not aware of this vulnerability being exploited in the wild, there are no workarounds for the bug. Users are advised to migrate to a supported product. Discontinued Cisco networking devices have been exploited in attacks. Network managers can use their It asset management tools to identify obsolete equipment.
Read More
Apr 2024
Software Purges: How CIOs Can Declutter The Software Stack
Tech stacks can benefit from a decluttering exercise, especially if a company does not have a regular software review cycle. A software review can be a major undertaking and may result in major savings. An in-place IT asset management solution can speed the process. For example, last year a major bank retired several hundred legacy apps in an effort to simplify its technology infrastructure. A complex tech stack can create a world of problems, and having several disjointed systems that aren t integrated can make work harder and be a waste of employee time and financial resources. Karl Threadgold, managing director at Threadgold Consulting noted that The key thing is not having that single source of truth. Rather than determining a one-time software clean out, organizations should maintain a continuous cycle of analyzing what software applications are used and how. An IT asset management system creates that single source of truth and provides key information to support a regular software clean-out process.
Read More
Apr 2024
22,500 Palo Alto Firewalls "Possibly Vulnerable" To Ongoing Attacks
Over 22,000 exposed Palo Alto GlobalProtect firewall devices are likely vulnerable to the CVE-2024-3400 flaw. The flaw is a critical command injection vulnerability that has been actively exploited in attacks since March of 2024. CVE-2024-3400 impacts specific Palo Alto Networks' PAN-OS versions in the GlobalProtect feature that allows unauthenticated attackers, using command injection triggered by arbitrary file creation, to execute commands with root privileges. Patches were made available between April 14 and 18, 2024 meaning that post-disclosure risks lasted two to six days. Palo Alto's mitigation of disabling telemetry would not protect devices and that the only solution was to apply the security patches. IT managers can utilize their IT asset management solutions to identify vulnerable and unpatched devices.
Read More
Apr 2024

Industry News - Mar 2024

Ivanti Breach Prompts CISA to Take Systems Offline
Back in February threat actors breached the Cybersecurity and Infrastructure Security Agency's (CISA) systems using Ivanti product vulnerabilities. Suspicious activity was identified, and two systems were taken offline. It is not clear who was behind the incident and whether any data was accessed or stolen. The Infrastructure Protection Gateway and the Chemical Security Assessment Tool (CSAT) were the two systems taken offline. CISA recommends that organizations review an advisory it released in February regarding three Ivanti vulnerabilities, identified as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. CISA also reported that the Ivanti ICT failed to detect compromise in incident response engagements.
Read More
Mar 2024
Too Much Data: CIOs Jostle for Control Of Swelling IT Estates
According to a Dynatrace survey of over 1,200 CIOs, cloud-based data output overwhelms human management capacity. Over 80% of respondents notes that the technology stack has become more complex over the past year. About 50% of them expect the complexity to worsen. Multicloud technology platforms often include a dozen different platforms and services. according to the majority of respondents, the rising complexity hinders security and customer experience. An IT asset management tool capable of reporting and analyzing cloud usage and contracts can assist in reigning in cloud-complexity.
Read More
Mar 2024
Legacy Tech Is Still Popping Up as A Cost-Control Barrier
A Deloitte survey of 300 business leaders found that fifty percent of businesses cite technology infrastructure challenges as the top obstacle to bringing costs under control. That number is up from just over 30% in a 2023 study. The report showed that legacy technology infrastructure is an obstacle to adopting new technology. Legacy technology can also impact internal business conditions and limit companies ability to boost profit margins. Despite issues with legacy technology, 80% of companies are embracing generative AI and machine learning to boost efficiency and improve customer and employee experiences. A robust IT asset management solution can help identify legacy technology and their interaction with other systems.
Read More
Mar 2024
Enterprises Spend Hundreds of Hours A Year On SaaS Contracts
A report compiled by Vertice showed that businesses spend an average of 385 hours a year on meetings regarding SaaS and cloud contract purchases and renewals. In developing the report Vertice analyzed procurement processes at more than 1,000 companies. Staff responsible for SaaS purchases and renewals often spent over half of their working year on the end-to-end process of reviewing and renewing software contracts. The time burden disproportionately affects IT and finance departments. Vertice CEO and founder Eldar Tuvey said that Finance and tech leaders need the time to focus on high-value strategic initiatives rather than being stuck in endless meetings and email chains to buy and renew software. An IT asset management solution that can report and analyze SaaS usage and contracts can assit in the review and acquisition process.
Read More
Mar 2024
ITAM Forum Announcement
Users will benefit from, and contribute to, a community focused on timely ITAM industry news and analysis, detailed and industry-responsive training, resources to successfully overcome workplace challenges, events that are focused on knowledge sharing and networking and future focused thought leadership.
Read More
Mar 2024
Healthcare s Ransomware Epidemic: Why Cyberattacks Hit the Medical Sector With Alarming Frequency
While the IT devices controlling the OT devices are usually Windows and Linux systems that are frequently patched, no such process applies to the majority of OT devices. Instead, the report noted, vulnerability patching is often an add-on to an already expensive support contract. A robust IT asset management solution, that does not impact the configuration of FDA approved devices, can aid in identifying vulnerable systems.
Read More
Mar 2024
Patch Tuesday: Microsoft Flags Major Bugs in HyperV, Exchange Server
Microsoft recently labeled two HyperV vulnerabilities (CVE-2024-21407 and CVE-2024-21408)_ with its highest critical-severity rating. The company encouraged users to prioritize these fixes. Not doing so could expose the companies to code execution and denial-of-service attacks. Microsoft warned HyperV users that This vulnerability would require an authenticated attacker on a guest VM to send specially crafted file operation requests on the VM to hardware resources on the VM which could result in remote code execution on the host server. The software publisher also identified a serious flaw in Open Management Infrastructure (OMI) that should receive for urgent attention. The CVE-2024-21334 bug carries a CVSS severity score of 9.8 out of 10. The March patches also provide remedies for code execution issues in Microsoft Exchange Server and a Microsoft Azure Kubernetes bug that opens the door for attackers to steal credentials. IT managers can utilize their IT asset management tools to identify unpatched and vulnerable systems.
Read More
Mar 2024
Poor Inventory Data to Blame For Increased Audit Costs: Oomnitza Survey
According to a new survey recently published by Oomnitza, almost 50% of organizations have experienced a significant increase in their audit budget expenditures due to poor IT inventory data. Nearly 60% of companies reported that the data accuracy of their CMDB was only less than 90% and that they had insufficient levels of process automation. These are the results of a new snapshot survey on IT Compliance and Technology Audits. The research, which was conducted by YouGov, surveyed over 200senior level information technology professionals in companies with 1,000 to 10,000 employees across multiple industries in the United States.
Read More
Mar 2024
Flexera 2024 State of the Cloud: Managing Cloud Spending is the Top Challenge of Cloud Computing, while AI, FinOps, Security and Sustainability Demand Attention
Flexera recently announced the release of its Flexera 2024 State of the Cloud Report. The report explores the opinions of over 750 respondents from a survey conducted in 2023. It highlights ongoing changes to help identify trends. The respondents, which included cloud decision-makers and users from a worldwide sample, noted their experiences and insights about the public, private and multi-cloud market.
Read More
Mar 2024
NSA says it s tracking Ivanti Cyberattacks as Hackers Hit US Defense Sector
The U.S. National Security Agency (NSA) has confirmed that hackers exploiting flaws in Ivanti s enterprise VPN appliance and have targeted organizations across the U.S. defense sector. NSA spokesperson Edward Bennett confirmed that the U.S. intelligence agency is tracking and aware of the broad impact from the recent exploitation of Ivanti products, to include of the [sic] U.S defense sector. Confirmation that the NSA is tracking these cyberattacks follows a report that Chinese espionage hackers have made mass attempts to exploit multiple vulnerabilities impacting Ivanti Connect Secure.
Read More
Mar 2024

Industry News - Feb 2024

What Policy Concerns Connecting Personal Mobile Devices to Organizational Network
The integration of personal computing devices into organizational networks has become a common practice. Called bring your own device (BYOD), the practice provides numerous benefits and challenges for IT professionals. Although it supports flexibility and productivity, it also presents concerns regarding security, privacy, and data management. As employees access company information using their personal devices, the risk of data breaches and unauthorized access increases. To reduce risks, organizations must establish robust policies to govern the connection of personal mobile devices to their networks. In addition, firms must be able to assess the vulnerability of those devices. A robust IT asset management solution can determine I f personal devices meet corporate configuration standards.
Read More
Feb 2024
Windows Zero-Day Exploited in Attacks on Financial Market Traders
Microsoft recently announced patches for more than 70 vulnerabilities, including two flaws that have been exploited in attacks as zero-days, two of which have been described as security feature bypasses. Microsoft noted that these vulnerabilities impact Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11. They can be exploited by convincing the targeted user to open a specially crafted file designed to bypass displayed security checks. IT managers can use their IT asset management tools to identify unpatched and vulnerable devices.
Read More
Feb 2024
Patch Tuesday: Adobe Warns of Critical Flaws in Widely Deployed Software
Adobe recently called made users aware of critical flaws in the Adobe Acrobat and Reader, Adobe Commerce and Magento Open Source, Substance 3D Painter, and FrameMaker. The company documented over twelve serious security defects covered in the Adobe Acrobat and Reader update. It warned that both Windows and macOS users are at risk. Adobe said that unpatched installations are at risk of arbitrary code execution, security feature bypass and application denial-of-service. The company issued fixes for code execution bugs in Adobe Substance 3D Painter, Adobe FrameMaker Publishing Server, Adobe Audition, and Adobe Substance 3D Designer. A robust IT asset management tool can be used to identify unpatched and vulnerable devices.
Read More
Feb 2024
Average Software Waste Hit $18M Last Year Despite Optimization Push
As cloud adoption spreads, cost concerns and optimization initiatives follow, Firms are combining previously discrete budgeting categories into a single line-item of tech spending. IT managers are working to maintain cost controls while maintaining adoption. according to Zylo, over 90% of IT and software asset management professionals now include SaaS into broader cloud cost governance efforts. Last year companies neglected billions in savings by not taking advantage of built-in hyperscaler savings plans and discounts. Infosys found that over $300 billion in pre-paid cloud credits lying dormant in enterprise accounts. In a separate study Zylo found that more than half of licensed SaaS applications go unused. Despite these numbers, the average organization added six applications each month last year. A robust IT asset management solution that can analyze clous software usage can be a valuable tool in elimination software spend waste.
Read More
Feb 2024
Exploitation of vulnerabilities affecting Ivanti Connect Secure and Ivanti Policy Secure
Organisations are encouraged to take immediate action to mitigate vulnerabilities affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) gateways (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893, CVE-2024-22024), and follow the latest vendor advice.
Read More
Feb 2024
Flexera Buys Snow Software
On the 15th February, Flexera confirmed it had completed the acquisition of Snow Software. Flexera has long admired Snow s great products, customer value realization, talented employees, partner ecosystem, and active customer community. Flexera and Snow share harmonious company cultures, missions, and long-term strategies. Together, we will continue to deliver market leading solutions that address optimizing spend in a world of inflating costs, minimizing risks despite increasing threats and new regulations, and navigating ongoing uncertainty.
Read More
Feb 2024

Industry News - Jan 2024

CISA Adds Patched MS Sharepoint Server Vulnerability to KEV Catalog
the US Cybersecurity and Infrastructure Security Agency (CISA) has added a patched privilege escalation vulnerability impacting Microsoft SharePoint servers to the known exploited vulnerabilities (KEV) catalog. The agency cited evidence of active exploitation and has tagged the critical severity bug Microsoft previously released fixes for as part of its June 2023 Patch Tuesday updates. Tracked as CVE-2023-29357. The vulnerability (CVSS 9.8) allows an attacker, who has gained access to spoofed JSON Web Token (JWT) authentication tokens, to use them for executing a network attack. CISA has advised users to update their systems by January 31 to secure against active threats. IT administrators can utilize their IT asset management tools to identify vulnerable systems.
Read More
Jan 2024
Technical Volume 2: Cybersecurity Practices for Medium and Large Healthcare Organizations |
IT asset management (ITAM) is the process by which organizations manage their IT assets. ITAM is critical to ensuring proper cyber hygiene controls are in place across all assets in the organization. The use of discovery tools reduces unknowns across the network. ITAM should be implemented for endpoints, servers, application, and networking equipment. ITAM cybersecurity practices should be incorporated into every lifecycle stage of IT operations to maintain data accuracy and integrity. The lifecycle includes procurement, deployment, maintenance, and decommissioning. As part of its public private partnership with the NIST National Cybersecurity Center of Excellence (NCCOE), the financial sector has written a detailed ITAM practice guide: IT Asset Management (https://www.nccoe.nist.gov/sites/default/files/legacy-files/fs-itam-nist-sp1800-5b-draft.pdf)
Read More
Jan 2024
Apple Ships iOS 17.3, Warns of WebKit Zero-Day Exploitation
Apple announced that the newest iOS 17.3 and macOS Sonoma 14.3 updates address at least 16 vulnerabilities that can expose Apple users to code execution, denial-of-service and data exposure attacks. In a separate advisory the company documents a pair of WebKit bugs (CVE-2023-42916 and CVE-2023-42917) that it says may have been exploited against versions of iOS before iOS 16.7.1. The recent updates also fix security problems in the Apple Neural Engine, CoreCrypto, Mail Search, Reset Services, Shortcuts and Time Zone. IT professionals can utilize their IT asset management tools to identify unpatched devices.
Read More
Jan 2024
45% of Critical CVEs Left Unpatched in 2023
In 2023 cyberwarfare became more widespread. Manufacturing, educational services and public administration were widely exposed to attack from cybercriminals. Older Windows server OS versions (2012 and earlier) are nearly 80% more likely to experience attack attempts compared to newer Windows Server versions. This vulnerability is especially evident in the server environment. Almost 25% of server versions are facing end-of-support (EoS) scenarios. Industries still using end-of-life (EoL) or EoS OSs that are no longer actively supported or patched for vulnerabilities are particularly vulnerable. IT professionals can use the information generated by their IT asset management solutions to pinpoint legacy, obsolete and/or unpatched systems.
Read More
Jan 2024
© xAssets 2024 All rights reserved.