Month: January 2006

  • OSVDB ThreatRiskWarnFUD Level 6.32

    [This was originally published on the OSVDB blog.] While chatting with a journalist about risks and ratings. I think the conversation started with a discussion on CVSS, but moved on to more general risk ratings. This lead me to wonder about the usefulness of Internet risk/threat ratings that some security companies maintain. Does anyone use…

  • A Word on Solutions (We Won’t Tell)

    [This was originally published on the OSVDB blog.] From time to time, vendors will contact OSVDB to notify us of solutions to vulnerabilities included in the database. These are almost always very professional mails, usually polite, and sometimes include all the details we need/want. These mails may say something along the lines of “we have…

  • For Journalists Covering Oracle…

    [This was originally published on the OSVDB blog.] 2004-08-04: 34 flaws found in Oracle database software2004-09-03: US gov and sec firms warn of critical Oracle flaws2004-10-15: Oracle Warns of Critical Exploits2005-01-20: Oracle Patch Fixes 23 ‘Critical’ Vulnerabilities2005-10-19: Oracle fixes bugs with mega patch2006-01-18: Oracle fixes pile of bugs In the interest of helping journalists cover…

  • A Time to Patch

    [This was originally published on the OSVDB blog.] http://blogs.washingtonpost.com/securityfix/2006/01/a_timeline_of_m.html Brian Krebs has a fantastic post on his blog covering the time it takes for Microsoft to release a patch, and if they are getting any better at it. Here are a few relevant paragraphs from it, but I encourage you to read the entire article.…

  • DHS & Your Tax Dollars

    [This was originally published on the OSVDB blog.] Full Article Through its Science and Technology Directorate, the department has given $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coverity’s commercial tool for source code analysis, representatives for the three grant recipients told…

  • A Word on Solutions (Use Another Product)

    [This was originally published on the OSVDB blog.] Something lead you to the product that ended up on your systems. Be it a feature, a look, ease of use, or price, it was a driving force in your decision. Changing to a different product isn’t easily done, especially if your current solution is heavily integrated…

  • The Purpose of Tracking Numbers.. (HP)

    [This was originally published on the OSVDB blog.] In the context of advisories, it’s simple, to help track documents and avoid confusion. Much the same reason a vulnerability database assigns a unique number to an issue. If there is confusion when discussing a vulnerability, you reference the unique ID and ideally, confusion goes away. That…

  • An Open Letter on the Interpretation of “Vulnerability Statistics”

    [This was originally published on the OSVDB blog.] Steve Christey (CVE Editor) wrote an open letter to several mailing lists regarding the nature of vulnerability statistics. What he said is spot on, and most of what I would have pointed out had my previous rant been more broad, and not a direct attack on a…

  • US-CERT: A Disgrace to Vulnerability Statistics

    [This was originally published on the OSVDB blog.] Several people have asked OSVDB about their thoughts on the recent US-CERT Cyber Security Bulletin 2005 Summary. Producing vulnerability statistics is trivial to do. All it takes is your favorite data set, a few queries, and off you go. Producing meaningful and useful vulnerability statistics is a…