|
CVE Mentioned in Article about Web Vulnerabilities on
CSOonline.com
CVE was mentioned throughout a January 1, 2007 article entitled "
The
Chilling Effect
" on
CSOonline.com
about "how
the Web makes creating software vulnerabilities easier, disclosing them more
difficult and discovering them possibly illegal." The author refers to CVE
as "the definitive dictionary of all confirmed software bugs."
CVE is mentioned again when the author quotes CVE List Editor Steve Christey on vulnerability disclosure: "Disclosure is one of the main ethical debates in computer security. There are so many perspectives, so many competing interests, that it can be exhausting to try and get some movement forward." The author then uses CVE Identifiers to illustrate responsible disclosure: "Three vulnerabilities that followed the responsible disclosure process recently are CVE-2006-3873, a buffer overflow in an Internet Explorer DLL file; CVE-2006-3961, a buffer overflow in an Active X control in a McAfee product; and CVE-2006-4565, a buffer overflow in the Firefox browser and Thunderbird e-mail program. It's not surprising that all three are buffer overflows. With shrink-wrapped software, buffer overflows have been for years the predominant vulnerability discovered and exploited."
The author also discusses the trends in the types of CVEs: "The speed with which Web vulnerabilities have risen to dominate the vulnerability discussion is startling. Between 2004 and 2006, buffer overflows dropped from the number-one reported class of vulnerability to number four. Counter to that, Web vulnerabilities shot past buffer overflows to take the top three spots. The number-one reported vulnerability, cross-site scripting (XSS) comprised one in five of all CVE-reported bugs in 2006." As part of this discussion the author again quotes Steve Christey: "Every input and every button you can press is a potential place to attack. And because so much data is moving you can lose complete control. Many of these vulnerabilities work by mixing code where you expect to mix it. It creates flexibility but it also creates an opportunity for hacking."
Steve Christey is again quoted in the final section of the article about the future of Web vulnerabilities: "Just as with shrink-wrapped software five years ago, there are no security contacts and response teams for Web vulnerabilities. In some ways, it's the same thing over again. If the dynamic Web follows the same pattern, it will get worse before it gets better, but at least we're not at square one." The author goes on to state that "Christey says his hope rests in part on an efficacious public that demands better software and a more secure Internet, something he says hasn't materialized yet."
CVE Mentioned in Article about Vulnerability Trends on
SecurityFocus
CVE was mentioned in a January 17, 2007 article entitled "
Vulnerability
tallies surged in 2006
" on
SecurityFocus
.
The article is about a report on trends in the types of CVEs: "a report released
in October by the Common Vulnerabilities and Exposures (CVE) Project found
that the top-three categories of flaws were specific to Web programs and
accounted for 45 percent of the bugs reported in the first nine months of
the year."
The author also includes a quote by CVE List Editor Steve Christey about researchers searching for possible security vulnerabilities: "Many people are doing 'grep and gripe' research. They are doing a regular expression search, looking for patterns. If they get a match they will report it to the public, but sometimes what ends up happening is they are reporting false positives." Christey further states: "You have an emerging levels of sophistication for vulnerability researchers. You have a lot of people who are able to find the low-hanging fruit. But for major software, it seems to be getting more difficult for top researchers to find these issues--they have to work harder, spend more time, spend more resources, (and) do more complex research."
SecurityFocus is a member of the
CVE Editorial
Board
.
Back to Top
|
|
CVE Identifiers Included in Annual Update of "SANS Top Twenty" List of Internet Security Threats
The
2006
Annual Update
to the
Twenty Most
Critical Internet Security Vulnerabilities
, a SANS/FBI consensus list of the most critical problem areas in Internet security, was released on November 15, 2006 and now includes 210 CVE Identifiers. The list uses CVE Identifiers with both entry and candidate status to uniquely identify the vulnerabilities it describes. This will help system administrators use
CVE-Compatible
Products and Services
to help make their networks more secure.
The annual update includes five major categories: (1) Operating Systems - Internet Explorer, Windows Libraries, Microsoft Office, Windows Services, Windows Configuration Weaknesses, Mac OS X, and UNIX Configuration Weaknesses; (2) Cross-Platform Applications - Web Applications, Database Software, P2P File Sharing Applications, Instant Messaging, Media Players, DNS Servers, Backup Software, and Security, Enterprise, and Directory Management Servers; (3) Network Devices - VoIP Servers and Phones, and Network and Other Devices Common Configuration Weaknesses; (4) Security Policy and Personnel - H1. Excessive User Rights and Unauthorized Devices, and Users (Phishing/Spear Phishing); and (5) a Special Section - Zero Day Attacks and Prevention Strategies.
SANS
is a member of the
CVE
Editorial Board
and its education and training materials are listed in the
CVE-Compatible
Products and Services
section.
CVE to Host Booth at
RSA Conference 2007
, February 5-8
MITRE is scheduled to host a
CVE
/
CCE
/
CME
/
CWE
/
OVAL
exhibitor booth at
RSA
Conference 2007
on February 5-8, 2007 at the Moscone Center in San Francisco, California, USA. RSA Conference provides a forum for information security professionals and visionaries to "exchange and collaborate in a dynamic, authoritative setting." The event will introduce CVE, CCE, CME, CWE, and OVAL to security professionals from industry, government, and academia from around the world. Organizations with
CVE-Compatible
Products and Services
will also be exhibiting. Please stop by Booth 1949, or any of these booths, and say hello.
Visit the
CVE Calendar
page for information on this and other upcoming events. Contact
cve@mitre.org
to have CVE present a briefing or participate in a panel discussion about CVE, CCE, CME, CWE, OVAL, and/or other vulnerability management topics at your event.
CVE to Host Booth at the 2007
Information
Assurance Workshop
, February 12-16
MITRE is scheduled to host a
CVE
/
CCE
/
CME
/
CWE
/
OVAL
exhibitor booth at the 11th annual
2007
Information Assurance (IA) Workshop
on February 12-16, 2007 at the Wyndham Orlando Resort, in Orlando, Florida, USA. The purpose of the workshop, which is hosted by the U.S. Defense Information Systems Agency (DISA) and National Security Agency (NSA), is to provide a forum in which the IA community can provide updates and work issues on relevant IA topics that have been aligned with the goals of Department of Defense (DOD) IA strategy. The event will introduce CVE, CCE, CME, CWE, and OVAL to representatives of the DOD and other Federal Government employees and their sponsored contractors. Organizations with
CVE-Compatible
Products and Services
will also be exhibiting.
Visit the
CVE Calendar
for information on this and other events.
CVE Included in Article about Web Application Vulnerabilities in
SC Magazine
CVE was mentioned in a December 27, 2006 article entitled "
Hot
or Not: Web Application Vulnerabilities
" in
SC
Magazine
. The article is about a report on trends in the types of CVEs: "There's no doubt that web applications have become the attackers' target of choice. In September, Mitre Corp.'s Common Vulnerabilities and Exposures list - a tally of publicly disclosed vulnerabilities - ranked cross-site scripting in the number one slot. In fact, cross-site scripting attacks surpassed buffer overflow vulnerabilities. And four of the top five reported vulnerabilities proved to be within web applications."
The article also mentions that in the November 2006 SANS Institute
Top-20
Internet Security Attack Targets 2006 Annual Update
, which uses 210 CVE Identifiers to uniquely identify the
vulnerabilities
it describes, "web applications topped the list for Cross-Platform Application vulnerabilities."
Important Message about CVE Web Site Availability
Due to business disaster planning activities the
CVE
Web site
may be temporarily unavailable for short periods from 5:00am eastern time on Saturday, January 13, 2007 through 5:00am on Tuesday, January 16, 2007. We apologize for any inconvenience. Please contact
cve@mitre.org
with any comments or concerns.
The
U.S. National Vulnerability
Database
, which provides enhanced information about CVE identifiers, will not be affected.
Back to Top
|
