Month: September 2005

  • A Day in the Life of a Security Bulletin

    [This was originally published on the OSVDB blog.] A Day in the Life of a Security Bulletinhttp://blogs.technet.com/msrc/archive/2005/09/28/411635.aspx Hi all- Alexandra Huft here again! I thought you might find it interesting to see “behind the scenes” of how a security vulnerability eventually becomes a security bulletin. So, I’ll start way back at the beginning. We receive…

  • An Analysis of Reputational Risk

    [This was originally published on the OSVDB blog.] Kenneth Belva of Franklin Technologies United, Inc. announced a paper titled “How It’s Difficult to Ruin a Good Name: An Analysis of Reputational Risk”. The paper was delivered as the keynote address at the FiTech Summit 2005. In his announcement, he states “This paper should be regarded…

  • Vulnerability Classification Terminology

    [This was originally published on the OSVDB blog.] Local or remote, seems so simple when classifying a vulnerability. The last few years have really thrown this simple distinction for a loop. Think of a vulnerability that occurs when processing a file, such as a browser rendering a JPG or GIF, or a program like Adobe…

  • MusicPlasma for Vulnerabilities

    [This was originally published on the OSVDB blog.] A couple years back, I ran across musicplasma. For those not familiar with the engine, it allows you to type in your favorite music artist/band, and see “related” artists. So I type in “portishead” (mmmm) and see related bands like Tricky, and Sneakerpimps. These are all considered…

  • “OSS means slower patches” – huh?!

    [This was originally posted on the OSVDB blog.] http://australianit.news.com.au/articles/0,7204[..].htmlOSS means slower patchesChris JenkinsSEPTEMBER 19, 2005 This was posted to Full-Disclosure where I first replied, and ISN picked up. Articles like this do nothing positive for our industry. Jenkins should not waste his time writing fluff pieces like this, and he should do some digging or…

  • Scary Oracle Numbers

    [This was originally published on the OSVDB blog.] http://www.eweek.com/print_article2/0,1217,a=160368,00.asp On Security, Is Oracle the Next Microsoft?September 16, 2005By Paul F. Roberts While [Oracle CSO Mary Ann Davidson] acknowledges that some of the criticism from Litchfield and others is valid, outsiders aren’t privy to the 75 percent of product holes that Oracle discovers and fixes internally.…

  • .. and the debate keeps raging

    [This was originally published on the OSVDB blog.] ZDnet Asia had an article recentl, titled “Bug hunters, software firms in uneasy alliance” which brought up the age old full disclosure (or ‘responsible’ disclosure) debate. This prompted a slashdot thread with various comments. My favorite pop tart, Mary Ann Davidson (chief security officer at Oracle) managed…

  • Vuln Info Disclosure via Blogs

    [This was originally published on the OSVDB blog.] Recently, Juha-Matti Laurio questioned if there is a trend in releasing vulnerability information via blog entry. While he is right that we are seeing it a bit more frequently, I don’t think it is any different than the dozens of “hacker” or security message forums that consistently…

  • Vulnerabilities becoming more mainstream?

    [This was originally published on the OSVDB blog.] Before 2005, it was fairly rare to see a news article specifically covering a vulnerability. They would usually pop up if a vuln was used in a mass compromise, the basis of a worm propagating, or affected large vendors such as Microsoft and Oracle. This year however,…