|
SecurityFocus
, January 17, 2007
CVE was mentioned in a January 17, 2007 article entitled "
Vulnerability
tallies surged in 2006
" on
SecurityFocus
.
The article is about a report on trends in the types of CVEs: "a report
released in October by the Common Vulnerabilities and Exposures (CVE) Project
found that the top-three categories of flaws were specific to Web programs
and accounted for 45 percent of the bugs reported in the first nine months
of the year."
The author also includes a quote by CVE List Editor Steve Christey about researchers searching for possible security vulnerabilities: "Many people are doing 'grep and gripe' research. They are doing a regular expression search, looking for patterns. If they get a match they will report it to the public, but sometimes what ends up happening is they are reporting false positives." Christey further states: "You have an emerging levels of sophistication for vulnerability researchers. You have a lot of people who are able to find the low-hanging fruit. But for major software, it seems to be getting more difficult for top researchers to find these issues--they have to work harder, spend more time, spend more resources, (and) do more complex research."
SecurityFocus is a member of the
CVE Editorial
Board
. The article was written by Robert Lemos.
CSOonline.com
, January 1, 2007
CVE was mentioned throughout a January 1, 2007 article entitled "
The
Chilling Effect
" on
CSOonline.com
about "how
the Web makes creating software vulnerabilities easier, disclosing them
more difficult and discovering them possibly illegal." The author refers
to CVE as "the definitive dictionary of all confirmed software bugs."
CVE is mentioned again when the author quotes CVE List Editor Steve Christey on vulnerability disclosure: "Disclosure is one of the main ethical debates in computer security. There are so many perspectives, so many competing interests, that it can be exhausting to try and get some movement forward." The author then uses CVE Identifiers to illustrate responsible disclosure: "Three vulnerabilities that followed the responsible disclosure process recently are CVE-2006-3873, a buffer overflow in an Internet Explorer DLL file; CVE-2006-3961, a buffer overflow in an Active X control in a McAfee product; and CVE-2006-4565, a buffer overflow in the Firefox browser and Thunderbird e-mail program. It's not surprising that all three are buffer overflows. With shrink-wrapped software, buffer overflows have been for years the predominant vulnerability discovered and exploited."
The author also discusses the trends in the types of CVEs: "The speed with which Web vulnerabilities have risen to dominate the vulnerability discussion is startling. Between 2004 and 2006, buffer overflows dropped from the number-one reported class of vulnerability to number four. Counter to that, Web vulnerabilities shot past buffer overflows to take the top three spots. The number-one reported vulnerability, cross-site scripting (XSS) comprised one in five of all CVE-reported bugs in 2006." As part of this discussion the author again quotes Steve Christey: "Every input and every button you can press is a potential place to attack. And because so much data is moving you can lose complete control. Many of these vulnerabilities work by mixing code where you expect to mix it. It creates flexibility but it also creates an opportunity for hacking."
Steve Christey is again quoted in the final section of the article about the future of Web vulnerabilities: "Just as with shrink-wrapped software five years ago, there are no security contacts and response teams for Web vulnerabilities. In some ways, it's the same thing over again. If the dynamic Web follows the same pattern, it will get worse before it gets better, but at least we're not at square one." The author goes on to state that "Christey says his hope rests in part on an efficacious public that demands better software and a more secure Internet, something he says hasn't materialized yet."
The article was written by Scott Berinato.
Back to Top
|
