InfoSecBulletin Cybersecurity for mankind
Google has announced Vanir, an open-source tool for detecting and fixing security vulnerabilities, publicly available for developers.
Vanir is a source code-based static analysis tool that automatically identifies the list of missing security patches in the target system. By default, Vanir pulls up-to-date CVEs from Open Source Vulnerabilities (OSV) together with their corresponding signatures so that users can transparently scan missing patches for an up-to-date list of CVEs.
SonicWall patched SSLVPN Vuln Allowing Firewall Crashing
GitLab Releases Security Update For Multiple Vulns
ISPAB president “whatsapp” got hacked via phishing link
Zyxel released patches 2 vulns in its USG FLEX H series firewalls
South Korea’s largest SK Telecom Hit by Malware: SIM-related info leaked
ChatGPT Develops Exploit for CVEs Before Public PoCs Share
TP-Link Router Vulns Allow to Execute Malicious SQL Commands
SSL.com’s domain validation system’s bug found: Hacker exploited
Amazon Follows Microsoft’s Lead, Halts Some Data Center Deals
Hackers Exploit Zoom’s Remote Control Feature for System Access
Vanir, originally designed for Android, provides an effective way to manage security patches for various devices and software versions. As Google’s blog states, “This strengthens the security of the Android ecosystem, helping to keep Android users around the world safe.”
What sets Vanir apart?
Source-Code-Based Static Analysis: Instead of using potentially inaccurate metadata, Vanir examines the source code directly, offering a more precise and thorough analysis.
Automated Patch Identification: Vanir automates the time-consuming task of finding missing patches, saving both time and resources.
Versatility: Although made for Android, Vanir can easily be used in other systems, making it a valuable asset across the software development landscape.
“A main focus of Vanir is to automate the time consuming and costly process of identifying missing security patches in the open source software ecosystem,” Google emphasizes in their blog.
Early Success and Future Potential:
Early use of Vanir has shown great results. Google states that one engineer generated signatures for over 150 vulnerabilities and verified missing security patches in just five days using Vanir.
Vanir’s open-source nature encourages teamwork and innovation in security. “By open-sourcing Vanir, we aim to empower the broader security community to contribute to and benefit from this tool, enabling wider adoption and ultimately improving security across various ecosystems,” says Google.
