Month: April 2021

  • The Rundown: CVE IDs & RESERVED Status

    During the process of assigning a CVE ID, there is a time period between the assignment and the disclosure, and again between the disclosure and it becoming available on MITRE’s CVE site or NIST’s National Vulnerability Database (NVD). During this period, the ID will be shown as RESERVED. First, it is important to note that…

  • The Rundown: CVE IDs & REJECT Status

    For analysts and practitioners that digest CVE regularly, you will likely be familiar with CVEs that are in REJECT status. If you are new to CVE or not familiar with some of the more gritty details, a CVE assignment may be rejected for various reasons. When that happens, it will receive a capitalized REJECT status:…

  • The Rundown: CVE IDs, Meanings, & Assumptions

    For almost two decades, CVE has been considered an industry standard for vulnerability tracking. A CVE ID can be affiliated with many vulnerabilities, in a format like CVE-2014-54321. Note my choice in ID, from 2014 with a consecutive set of numbers. That is because I specifically chose a ‘sample’ CVE that was set aside as…

  • Down The Vulnerability Rabbit Hole

    [This was originally published on RiskBasedSecurity.com.] In a recent article, The Importance of a Living Database, we detailed why it is important to revisit entries as new information comes to light. Like the times, vulnerabilities are a-changin’. We’ve been known to revisit a vulnerability record over 1,200 times, which may seem excessive, and some may…

  • SolarWinds: Sitting on Undisclosed Vulnerabilities

    [This was originally published on RiskBasedSecurity.com.] SolarWinds was in the news last year, as the victim of an attack that compromised its Orion Platform software by inserting a backdoor into it, allowing for remote code execution. This attack has had an incredible impact on the security industry and recently, interest in the SolarWinds breach has…

  • Saving Bugtraq

    In July of 2019, many noticed that the Bugtraq mail list stopped having posts approved, including Art Manion at CERT. Since there are many other outlets for vulnerability disclosure, such as the Full-Disclosure mail list, Packetstorm, Exploit Database, and increasingly on GitHub, it didn’t receive much attention. It wasn’t like the days when the list…

  • March 2021 Reviews (Coming 2 America, Cosmic Sin, I Care A Lot, Point Blank, Cherry, 3022, The Ballad of Lefty Brown, Unknown, SAS: Red Notice)

    [A summary of my movie and TV reviews from last month, posted to Attrition.org, mixed in with other reviews.] Coming 2 America (2021)Medium: Movie (Amazon)Rating: 4/5 Zamunda Ministry of Propaganda approvesReviewer: jerichoReference(s): IMDB Listing || AmazonThirty years later, a sequel that was never supposed to happen according to Arsenio Hall. I’m glad they changed their mind!…