CVE in the News

CVE in the News 2006

CVE in the News is a comprehensive monthly review of the news and other media's coverage of CVE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.

December 2006

SC Magazine , December 27, 2006

CVE was mentioned in a December 27, 2006 article entitled " Hot or Not: Web Application Vulnerabilities " in SC Magazine . The article is about a report on trends in the types of CVEs: "There's no doubt that web applications have become the attackers' target of choice. In September, Mitre Corp.'s Common Vulnerabilities and Exposures list - a tally of publicly disclosed vulnerabilities - ranked cross-site scripting in the number one slot. In fact, cross-site scripting attacks surpassed buffer overflow vulnerabilities. And four of the top five reported vulnerabilities proved to be within web applications."

The article also mentions that in the November 2006 SANS Institute Top-20 Internet Security Attack Targets 2006 Annual Update , which uses 210 CVE Identifiers to uniquely identify the vulnerabilities it describes, "web applications topped the list for Cross-Platform Application vulnerabilities."The article was written by Amol Sarwate.

November 2006

Software Development Times , November 15, 2006

CVE was mentioned in a November 15, 2006 article entitled " The Rise of Cross-Site Scripting " on the Software Development Times Web site. The article is about a report on trends in the types of CVEs: "[CVE List] data shows that the number of buffer overflow reports is holding steady at between 250 and 450 per year. Web vulnerabilities, on the other hand, have skyrocketed beginning in 2003. (In total, there were three times as many vulnerabilities reported in 2005 as there were in 2001.)" The article was written by Brian Chess.

SearchSecurity.com , November 9, 2006

CVE was mentioned in a November 9, 2006 article entitled " Software security flaws begin and end with Web application security " on SearchSecurity.com . The article is about a report on trends in the types of CVEs: "According to a recent report published by the Common Vulnerabilities and Exposures (CVE) project, flaws in Web software are among the most reported security issues so far this year. It's easy to see why. After all, hackers are known to search for an easy target. Poorly configured or written Web applications are not only an easy target, taking the attacker straight to their goal — data, and lots of it — but also can be used to spread malware to anyone else who visits the compromised site." The article was written by Michael Cobb.

October 2006

Dark Reading , October 10, 2006

CVE was mentioned in an October 10, 2006 article entitled " Hot New OS Flaw: Integer Overflow " on Dark Reading . The article is about a report on trends in the types of CVEs: "Buffer overflow maintains its top ranking as the most exploited security flaw in operating systems, but integer overflows are now at number two, according to MITRE's ... Common Vulnerability and Exposures (CVE)." Other types of CVEs are also discussed. The article was written by Kelly Jackson Higgins.

September 2006

SC Magazine , September 22, 2006

CVE was mentioned in an article entitled " XSS flaws jump to top of CVE rankings, but is the threat overblown? " in the September 22, 2006 issue of SC Magazine . The article is a report about a study by Jeremiah Grossman, CTO of WhiteHat Security, who used the CVE List to determine that "XSS flaws are now the No. 1 flaw on MITRE's Common Vulnerabilities and Exposures (CVE) site - a considerable growth from 12 months ago." The article also includes a quote by Grossman, who states: "This is important to realize because XSS is now ranked ... as the most prevalent vulnerability, even more prevalent than buffer overflows." The article was written by Frank Washkuch Jr.

CRN.com , September 4, 2006

CVE identifiers were used to identify the vulnerabilities being tracked in a chart entitled " A Look at Recent Vulnerability Ratings " that was part of a September 4, 2006 article about vulnerability reporting entitled " Security Spin Cycle " on CRN.com . The article was written by Kevin McLaughlin.

August 2006

SC Magazine , August 24, 2006

CVE was mentioned briefly in an article entitled " ArcSight simplfies SIM with new standard " in the August 22, 2006 issue of SC Magazine . The main focus of the article is a report that " ArcSight announced the release of its Common Event Format (CEF), a standard which they believe will help the security information management (SIM) niche better serve the enterprise market."

CVE is mentioned when the authro states that Charles Kolodgy, research director for IDC, "likened the development to the vulnerability management world's CVE standard, which is used across numerous security vendors in order to simplify things for customers."

ArcSight, Inc. 's ArcSight Enterprise Security Manager (ArcSight ESM) is listed as officially CVE-Compatible in the CVE-Compatible Products and Services section. The article was written by Ericka Chickowski.

USA Today , August 3, 2006

CVE was mentioned in an article entitled " Cybercrooks constantly find new ways into PCs " in the August 3, 2006 issue of USA TODAY . The article was a report from at Black Hat Briefings 2006 on August 2nd - 3rd, at which CVE hosted an exhibitor/meeting booth. CVE is mentioned in the article as follows: "[The CVE List] provides common names for publicly known security holes and is a rough indicator of which applications are attracting hackers' attention." The article also includes a quote by Secure Elements, Inc., security director Scott Carpenter, who states: "The CVE identifier is the most oranges-to-oranges comparison you can make." The article was written by Byron Acohido.

July 2006

Healthcare Informatics Online , July 2006

CVE was the main topic of an article entitled " The 411 on CVE " in the July 2006 issue of Healthcare Informatics Online . In the article the author describes some of the business impacts of CVE when he states: "Cost-effectiveness research done by both end users and vendors has shown CVE-based technology is worth the money." The author discusses comments about CVE by Larry Pesce, manager of information systems security for Care New England, Providence, R.I., who "cannot imagine doing his job without tools that support the industry-standard vulnerability dictionary known as CVE..." Pesce says that "the CVE-compatible automated penetration testing tool he uses (Core Impact from Core Security, Boston) has saved Care New England — which includes three hospitals, community wellness centers in Providence and Warwick, R.I., and a visiting nurses' association — the cost of hiring one to two full-time network administrators." The author further states: "Pesce's cost-savings analysis is backed by another industry veteran. Billy Austin, chief security officer of Saint Corporation, Bethesda, Md., which recently introduced a CVE-compatible integrated vulnerability scanning and penetration testing tool, [who] says his company's research shows users who take advantage of the CVE reference infrastructure save an average of 2.5 hours of staff time over doing Internet searches for any given vulnerability's attack vectors, likely impact of an exploit, and remediation steps." The article was written by Greg Goth.

June 2006

Information Security Magazine , July 2006

CVE was mentioned in a product review entitled " Vulnerability Management: Tenable Network Security's Security Center 3.0 " in the July 2006 issue of Information Security Magazine . CVE is mentioned in a section entitled "IDS/IPS support" in which the author states: "The data also provides relevant information, such as mitigation solutions and external resources like CVE numbers."

Tenable Network Security, Inc. is listed in the CVE-Compatible Products and Services section. The article was written by Brent Huston.

IEEE Distributed Systems Online , June 2006

CVE was the main topic of an article entitled " Functionality Meets Terminology to Address Network Security Vulnerabilities " in the June 2006 issue of IEEE Distributed Systems Online . The article describes what CVE is and the problems it solves, discusses the history of CVE, mentions CVE compatibility, includes a link to the CVE Web site, and notes that the U.S. National Institute of Standards and Technology's National Vulnerability Database (NVD) is built wholly upon CVE identifiers. The article includes a quote from NVD project leader and CVE Editorial Board member Peter Mell, who states: "With 300-plus products and services using [CVE identifiers], we definitely need a database of information relative to the CVE standard, and the NVD database provides that. End users need a way to prioritize the constant stream of vulnerabilities that are coming out ... [and by] ... integrating the NVD and CVE, we've made a significant step toward helping people to do that." The author notes some of the business impacts of CVE via its CVE Compatibility Program when he states: "CVE-compatible products have shown themselves to be cost-effective. Larry Pesce, manager of information systems security for Care New England, a Rhode Island-based healthcare network, says the use of a CVE-compatible penetration testing tool by vendor Core Security probably saves the organization the cost of one to two full-time employees a year. Billy Austin, chief security officer of Saint, a CVE-compatible vendor, says using such tools saves the typical security administrator 2.5 hours per vulnerability over doing manual searches."

The article also mentions MITRE's follow on standards efforts including Open Vulnerability and Assessment Language (OVAL) , which uses CVE identifiers as the basis for its standardized XML definitions that check for the presence of vulnerabilities on systems; Common Malware Enumeration (CME) , which provides single, common identifiers to virus threats to reduce public confusions during malware outbreaks and to facilitate the adoption of a shared, neutral indexing capability for malware; and Common Weakness Enumeration (CWE) , which is a community-developed formal list of common software weaknesses intended to serve as a common language for describing software security vulnerabilities, a standard measuring stick for software security tools targeting these vulnerabilities, and as a baseline standard for vulnerability identification, mitigation, and prevention efforts. The CWE dictionary , which is based in part on the numerous identifiers on the CVE List , is currently hosted on the CVE Web site. The article concludes with a quote by MITRE's CWE Project Manager, Robert A. Martin, who comments on the purpose behind these other information security standards efforts: "People are so used to selecting the vendor and that's kind of the core they build out from. What we want them to do is get married to enabling standards and then build around that."

National Institute of Standards and Technology (NIST) is a member of the CVE Editorial Board and CVE, NVD, CWE, OVAL, and CME are all sponsored by the U.S Department of Homeland Security . The article was written by Greg Goth.

Communications of the ACM , June 2006

CVE was mentioned in a June 2006 article in Communications of the ACM , Vol. 49 No. 6, entitled "Software Security Is Software Reliability." The main topic of the article is how vulnerabilities are often described in hacker terms rather than in the "software fault classes known by academic researchers." CVE is mentioned in a section entitled "Bug Class Evolution" when the author explains how he used "the Common Vulnerabilities and Exposures [List that] (cve.mitre.org) contains [17,208] entries of publicly know security issues" and mapped it in order to review the evolution of the bug classes. CVE is also mentioned in the caption for a chart showing "Common Vulnerabilities and Exposures reclassified using terms from software reliability research" from 1999 through 2005. The article was written by Felix Lindner.

March 2006

ServerWatch , March 3, 2006

CVE was mentioned in a March 3, 2006 article on ServerWatch entitled " Zero-Day Flaw Gets Patched ." The main focus of the article is the "zero-day issue" that involved "how [Apple Macintosh] OS X 10.4.5 handles ZIP archives in the Safari Web browser." CVE names are mentioned in reference to Apple Security Update 2006-001 , which uses CVE to identify the vulnerabilities addressed in the security alert. The CVE names mentioned in the article include CVE-2006-0390 , CVE-2005-4504 , CVE-2006-0387 , CVE-2006-0388 , and CVE-2006-0389 . The article was written by Sean Michael Kerner.

February 2006

VoIPLoop.com , February 14, 2006

CVE was the main focus of a February 14, 2006 article on VoIPLoop.com entitled " A CVE is not a Resume-It's a Threat ." The article explains what CVE is and the problems it addresses; states the number of names currently on the CVE List; mentions the current number of officially CVE-Compatible products and the number of products with declarations to be CVE-compatible; includes a link to the CVE Web site; and discusses CVE-2005-4050 and CVE-2005-3804 , which address VoIP vulnerabilities. The author also recommends that readers use CVE-compatible products and that they check the CVE List regularly for new VoIP-specific vulnerabilities. The article was written by Gary Audin.

BigFix Web Site , February 1, 2006

CVE was mentioned in the "Product and Technology Advances" section of a February 1, 2006 news release by BigFix, Inc. entitled " BigFix Accelerates Business Momentum in Fourth Quarter and 2005 Overall ." CVE was mentioned as follows: "[BigFix] announced support for important industry standards in 2005, including Cisco NAC, Common Vulnerability Exposures (CVE) compatibility certification, Common Vulnerability Scoring System (CVSS), Open Vulnerability [and] Assessment Language (OVAL), SANS Institute best practices, and US Common Criteria. Expanding standards support enhances customer value of the BigFix solutions by providing consolidated integration and expedited use of vulnerability intelligence information from multiple sources."

MITRE Digest , February 2006

CVE and OVAL were the main topics of a February 2006 MITRE Digest article on the MITRE Corporation Web site entitled " Information Assurance Industry Uses CVE and OVAL to Identify Vulnerabilities ." The article describes how "as the number of software vulnerabilities continues to increase, MITRE's OVAL and CVE initiatives are becoming standards in the information assurance industry." The article further describes how the growing list of CVE names "ensures enhanced interoperability and security for enterprises" and describes how "OVAL identifies vulnerabilities and configuration issues."

The article concludes with a section on how "MITRE is leveraging the CVE and OVAL Initiatives to help the [U.S.] Department of Defense (DoD) transform its enterprise incident and remediation management efforts" and how "as a result, the DoD will be fundamentally changing the way it deals with vulnerabilities and configuration issues in the commercial and open source components of its infrastructure and mission systems." The article was written by David Van Cleave.

January 2006

SC Magazine , January 20, 2006

CVE was mentioned in an opinion article entitled "Innovation Still Exists" in the January 20, 2006 issue of SC Magazine . CVE and OVAL are mentioned as two of the projects the author was most impressed with at the 32nd Annual CSI Computer Security Conference : "Next stop was MITRE's CVE booth. I've been a fan of CVE for as long as it's been in existence. Their big news is OVAL (Open Vulnerability and Assessment Language). This is an extremely cool way to manage vulnerabilities and vulnerability assessments. Again, my team is working with this and merging it with ProDiscover IR using ProScript to do automated host-based vulnerability assessment as part of incident response." The article was written by Peter Stephenson of Norwich University.

Security Focus , January 5, 2006

CVE was mentioned in a January 5, 2006 article on SecurityFocus.com entitled " Security flaws on the rise, questions remain ." The main focus of the article is how a survey of four major vulnerability databases showed that "the number of publicly reported vulnerabilities jumped in 2005, boosted by easy-to-find bugs in Web applications." The article also discussed the U.S. National Vulnerability Database (NVD) , which is built upon CVE identifiers: "In 2005, NIST created the National Vulnerability Database and software makers and security service providers have cooperated to create the Common Vulnerability Scoring System (CVSS) , a standardized measure of the severity of software flaws."

CVE is mentioned in reference to comments by CVE List Editor Steve Christey that the "variations in editorial policy and lack of cross-referencing between databases as well as unmeasurable biases in the research community and disclosure policy mean that the databases—or refined vulnerability information (RVI) sources—do not produce statistics that can be meaningfully compared." The article also includes a quote by Christey, who further states: "In my opinion, RVI sources are still a year or two away from being able to produce reliable, repeatable, and comparable statistics. In general, consumers should treat current statistics as suggestive, not conclusive."

All four databases surveyed for the article—NVD, the Computer Emergency Response Team (CERT) Coordination Center's database, the Open-Source Vulnerability Database (OSVDB), and the Symantec Vulnerability Database—are listed in the CVE-Compatible Products and Services section. The article was written by Robert Lemos.

In the News Archives:

For more information, please email cve@mitre.org

Page last updated: Thursday, 04-Jan-2007 14:57:55 EST