The Bug that caused the Equifax Breach was just two months old

Harikrishna MekalaSeptember 14, 20170520 views

“Equifax has been deeply examining the scope of the interference with the support of a leading, independent cyber security firm to discover what information was obtained and who have been impacted,” company executives wrote in an update posted online. “We understand that offenders exploited a US website employment vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We remain to work with law requirement as part of our illegal investigation, and have experienced indicators of agreement with law enforcement.”

The defect in the Apache Struts framework was made on March 6. Three days later, the bug was now under mass attack by hackers who were utilizing the flaw to install rogue applications on web servers. Five days after that, the escapades showed few signs of letting up. Equifax has declared the breach on its site occurred in mid-May, more than two months after the flaw got to light and a patch was available.

Thursday’s disclosure heavily suggests that Equifax failed to renew its Web applications, despite conclusive proof the bug gave real-world criminals an easy way to take charge of sensitive sites. An Equifax spokesperson didn’t immediately reply to an e-mail seeking comment on this possibility.

As News predicted in March, patching the security hole was labor intense and difficult, in part because it required downloading an updated version of Struts and then utilizing it to rebuild all apps that used older, buggy Struts versions. Some websites may depend on dozens or still hundreds of such apps, which may be spread across dozens of servers in multiple regions. Once rebuilt, the apps must be widely tested before going into the product to ensure they don’t break key roles on the site.

Equifax’s update validates a report published last week by a firm called Baird Equity Research. It gave no source for the claim that Equifax was breached through an unknown Apache Struts vulnerability. Two days later, the Apache Software Foundation published a statement stating it didn’t know one direction or the if a Struts vulnerability was involved. CVE-2017-5638 is separate from CVE-2017-9805, a separate Apache Struts vulnerability that was repaired last week.

Take your time to comment on this article.

The FCC refuses to talk about Net Neutrality

The New Hp Printer Firmware update will block the ink in the third-party cartridges

Related posts

LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere

Judge0 Vulnerabilities Could Allow Sandbox Escape

Google Meet Now Offers Client-Side Encryption For All Calls