Nexpose Release December 28, 2011

Document created by mburstein Employee on Dec 27, 2011Last modified by mburstein Employee on Dec 27, 2011
Version 7Show Document
  • View in full screen mode
                                                                

Rapid72011-12-28 product and content updates
                  Release announcement

This Rapid7® Nexpose® 5.0.4 release features new and updated vulnerability checks and improvements to Web spidering and fingerprinting.
                 
These release notes document what's new in this Nexpose release. Your Nexpose installation will automatically download and install content updates. If you have enabled Nexpose to install product updates, it will do so as well. See the third FAQ.

Web spidering improvement | product

The Web spider now properly parses and reuses HTTP cookies to increase link coverage for sites that use authentication.

Fingerprinting improvements | product

The following devices are now fingerprinted to help you track assets better, provide a more comprehensive software inventory, and present more accurate information on vulnerabilities:

             
  • Oracle Linux 4.x hosts
  • Netscreen devices running SSH
  • Mozilla Thunderbird and Seamonkey
  • Wordpress

Accuracy improvements | product

Accuracy improvements provide better detection and reporting of vulnerabilities to help you prioritize remediation efforts more effectively.

  • The software list on Apple OS X 10.7.x hosts is now properly enumerated.
  • The check that ensures SSL/TLS certificates are signed by valid, trusted Certifying Authorities (CA) has been updated. If validation fails, the reason is included in the check results, reducing occurrences of false positives and exceptions.

Accuracy improvement | content

A false positive when scanning HTTP Open proxies has been fixed to provide better detection and reporting of vulnerabilities.

Coverage improvements | product

New vulnerability checks provide better security coverage.


  • Vulnerabilities on Apple OS X versions 10.3 through 10.7 are now detected.
  • Authenticated Red Hat Package Manager (RPM) checks for Oracle Linux versions 3 through 6 (also known as Oracle Enterprise Linux and Oracle Unbreakable Linux) are now included.

Web spidering improvements | content

Cross-Site Request Forgery (CSRF) is one of the most important Web application vulnerabilities and is referenced from OWASP's Top10 as the fifth most important risk and Mitre's 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

 

Cross-Site Request Forgery vulnerabilities are now identified in any Web application. Please note that in order to detect CSRF vulnerabilities the Web application scanner requires form or HTTP basic authentication credentials to access the Web application.

 

The following vulnerabilities are now detected: This improvement requires the most recent product update.


  • Web Application Does Not Implement CSRF Protection. When CSRF protections are not implemented.
  • Web Application Partially Implements CSRF Protection. When there are some forms protected against CSRF but others are not.
  • Sensitive Form Is Vulnerable To CSRF. When one of the vulnerable forms has been found to have sensitive information.

Fingerprinting improvements | content

Apple OS X versions are now more accurately fingerprinted over Network Time Protocol (NTP) to help you track assets better, provide a more comprehensive software inventory, and present more accurate information on vulnerabilities.

Bi-monthly vulnerability check update | content
                

New vulnerability and patch checks bring coverage up to date for the following operating systems and applications:

                           
  • Adobe Flash
  • Adobe Reader
  • Adobe Shockwave
  • Apache
  • Apple QuickTime
  • BIND
  • CentOS
  • Cisco devices
  • IBM AIX
  • Java Runtime Environment
  • Mozilla Firefox
  • OpenSSL
  • PHP
  • Red Hat Enterprise Linux
  • Solaris
  • VMware

These checks help prevent security breaches that could allow hostile parties to take control of affected systems, gain access to confidential data, disrupt business operations, or cause other problems.

                 

Product update
                 

                           
  •   Linux 32                      | Update ID: 1077104482
  •   Linux 64                      | Update ID: 2965864765
  •   Windows 32                     | Update ID: 3866533290
  •   Windows 64                     | Update ID: 4052390242

Content update
                 

                            
  • Update ID: 1314732206

Installers
                 

   Released on November 17, 2011 (see fourth FAQ).                           

md5sum files
                 

Download the appropriate md5sum file to ensure that the installer was not corrupted during download:                            

Frequently asked questions (FAQs)
                 

                          
  • How will I know Nexpose has updated with this specific release?
    All updates are listed on the News page of the Nexpose Security Console Web interface.
  • Why doesn’t the most recent date on the News page match the dates of the current updates on the Administration page?
    You may occasionally notice that the most recent date on the News page does not match the dates of the current updates listed on the Nexpose Security Console administration page. The dates on the News page are official release dates. The dates on the console page indicate when updates were actually applied to your Nexpose installation.
  • What are content updates, and what are product updates?
    Content updates include new checks for vulnerabilities, patch verification, and compliance with security policies. Product updates include performance improvements, bug fixes, and new features in Nexpose.
  • Why are installers not updated with every release?
    To help you stay on top of an ever-growing number of security threats, Rapid7 makes the delivery of new security content timely and convenient.  After installation and first-time start-up, Nexpose continues to update itself dynamically. This makes it unnecessary for Rapid7 to update installers  with every release of security content. So, you don't have to download installers every time new content is available.
  • Does this dynamic self-updating cause Nexpose to restart?
    Yes. You may notice Nexpose taking longer to start for the first time after installation. You may also notice it restarting more than once as it completes a required sequence of updates.
  • How can I obtain more information about this release?
    If you have purchased Nexpose, contact our Technical Support Team at Support@Rapid7.com. If you are using the Community version of Nexpose, go to http://community.rapid7.com.
              
Join the Rapid7 Community!
Learn tips and tricks, engage with your peers,
and keep up with the latest product developments.
https://community.rapid7.com
           

Attachments

    Outcomes