Organizations can now apply Rezilion’s SBOM to Windows environments to manage software vulnerabilities and meet regulatory standards. Credit: Maximusnd / Getty Images Software security platform Rezilion has expanded its Dynamic Software Bill of Materials (SBOM) capability to support Windows environments. The firm said the move will provide organizations with the tools to efficiently manage software vulnerabilities and meet new regulatory standards, addressing functionality gaps of traditional vulnerability management tools primarily designed for use with Linux OS. Features include the ability to search and pinpoint vulnerable components, view Windows and Linux risk side by side in one UI, and tackle legacy vulnerability backlogs. The expansion comes as Microsoft vulnerabilities continue to plague organizations across the globe.Lack of Windows-first vulnerability management toolsIn a press release, Rezilion stated that a dearth of “Windows-first” tooling affects organizations’ ability to effectively manage vulnerabilities and comply with regulations such as the President’s Executive Order (EO) 14028, which requires teams to provide a thorough inventory of their software environments and related vulnerabilities. Gaps leave organizations with large, legacy Windows environments especially vulnerable to both attacks and regulatory non-compliance, the company added, particularly given the fact that 56% of software today is built for Windows OS.According to Liran Tancman, CEO of Rezilion, organizations are increasingly realizing that their future security, risk, and compliance posture relies heavily on their ability to see further into their software supply chain. “A Dynamic SBOM that supports Windows environments widens the scope of possibility and gives the ability to a massive number of new customers to meet regulatory standards and detect and manage their software vulnerabilities strategically,” he added.In July, Microsoft released its own open-source SBOM generation tool. The tech giant said this was an important step towards fostering collaboration and innovation which will enable more organizations to generate SBOMs as well as contribute to its development. Microsoft vulnerabilities continue to threaten organizations2021 was somewhat of a troubling security year for Microsoft with numerous vulnerabilities impacting several of its leading services including Active Directory, Exchange, and Azure. The same severity of security incidents has not come to light in 2022, but Microsoft vulnerabilities continue to threaten unpatched and unprepared organizations globally.Microsoft’s latest Patch Tuesday security update highlighted four actively exploited Windows zero-day vulnerabilities including print spooler elevation of privilege and scripting language remote code execution exploits. These are CVE-2022-41073, CVE-2022-41125, CVE-2022-41128 and CVE-2022-41091. Last month, a pair of newly discovered vulnerabilities highlighted the ongoing risks posed by Internet Explorer’s (IE’s) deep integration into the Windows ecosystem, despite Microsoft ending support for IE in June 2022. Discovered by the Varonis Threat Labs team, the exploits – dubbed LogCrusher and OverLog – affected an IE-specific Event Log that is present on all current Windows operating systems up to, but not including, Windows 11. Teams were urged to patch systems and monitor suspicious activity to mitigate security risks which include event log crashing and remote denial-of-service (DoS) attacks.In September, researchers discovered attackers exploiting two unpatched vulnerabilities to remotely compromise on-premises Microsoft Exchange servers – CVE-2022-41040 and CVE-2022-41082. In August, Microsoft urged users to patch a high-severity, zero-day security vulnerability (CVE-2022-34713 or DogWalk), which allowed attackers to exploit a weakness in the Windows Microsoft Support Diagnostic Tool (MSDT). Related content news FBI probes into Pennsylvanian water utility hack by pro-Iran group Federal and state investigations are underway for the recent pro-Iran hack into a Pennsylvania-based water utility targeting Israel-made equipment. By Shweta Sharma Nov 29, 2023 4 mins Cyberattacks Utilities Industry feature 3 ways to fix old, unsafe code that lingers from open-source and legacy programs Code vulnerability is not only a risk of open-source code, with many legacy systems still in use — whether out of necessity or lack of visibility — the truth is that cybersecurity teams will inevitably need to address the problem. By Maria Korolov Nov 29, 2023 9 mins Security Practices Vulnerabilities Security news Amazon’s AWS Control Tower aims to help secure your data’s borders As digital compliance tasks and data sovereignty rules get ever more complicated, Amazon wants automation to help. By Jon Gold Nov 28, 2023 3 mins Regulation Cloud Security news North Korean hackers mix code from proven malware campaigns to avoid detection Threat actors are combining RustBucket loader with KandyKorn payload to effect an evasive and persistent RAT attack. By Shweta Sharma Nov 28, 2023 3 mins Malware Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe