Category: InfoSec
-
Who Reads Mega-advisories? No one! (Almost)
Vulnerability disclosure analysts are long familiar with so-called “mega advisories”, ones that typically come from vendors and often for products that ship appliances using hundreds of libraries or products with an entire operating system included. Such advisories can literally represent over 500 vulnerabilities in one shot. I’ll try to make this a bit fun! Disclaimer:…
-
VulnCon Day 2 Errata & Taking Ben Edwards to Task
[4/13/2025 Update: See very end, below last image, for an amusing update.] Today was the second day of VulnCon 2025, a conference whose stated purpose is “to collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken back to individual programs for action to benefit the vulnerability management…
-
The Curious Case of CVE-2015-2551 & CVE-2019-9081 – Doom and Gloom! Or not.
What’s Your Story CVE-2015-2551? This CVE-2015-2551 entry seems straight-forward, based on the description provided by CVE or NVD. Looking at the change history on NVD it is a bit more informative: So the ID was created for the 2015 calendar year, apparently not used, rejected seven years later, and confirmed by the assigning CNA (Microsoft).…
-
ChatGPT Exploited by Threat Actors, Doom and Gloom! Or not.
After years of chasing down typos in CVE IDs, now we all have to contend with poorly researched headlines and apparent to me ambulance chasing over mistaken product names. If you missed the news, threat actors are exploiting a vulnerability in ChatGPT! This is obviously a huge warning and we should all be afraid because…
-
APT Naming Woes Redux (Bonus ‘DOJ’ Oops!)
One aspect of vulnerability intelligence is also doing a best-faith effort to track the threat actors that are using the vulnerabilities. While that information often isn’t published, when it is we should include it. For example, less than 1% of data breaches publish the vulnerability associated with the initial compromise, and that is often the…
-
Has CWE Jumped the Shark?
The Common Weakness Enumeration (CWE) is a MITRE run, community-developed list of common software and hardware weaknesses (Wikipedia Page). The project defines a “weakness” as “a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities.” This taxonomy has several uses but they tend to…
-
Reason #283 Why InfoSec Has Failed
For those familiar with my social media, you know that I have frequently said that our industry is failing the commons. InfoSec represents a huge market, companies get paid exorbitant amounts of money, salaries can border on the ridiculous, and the concept of researchers being famous for their work is still alive. Meanwhile, vulnerabilities are…
-
Why Don’t You Fix CVE?
Historically when I pointed out problems in anything, I wasn’t the best at offering solutions. Sometimes I simply had none because the problem was complex and the solutions I came up with were problematic themselves. Other times I had ideas, but they were fairly high-level and abstract and I didn’t want to be like the…
-
CVE Farming – Problem & Solution
Blog Origins In the last year or two, I have increasingly used the term “CVE farming” in conversations and LinkedIn posts [1]. This has led a few people to ask what it meant and I gave a very cliff notes version of the answer. I started taking notes for this blog a while back expecting…
-
MITRE’s Phoning in New CNAs
On December 17, 2024, MITRE announced five new CVE Numbering Authorities (CNA) on their Twitter feed as well as their news page. However, there were actually seven added according to the CNAs page based on tracking it daily. Last year, when I asked about a discrepancy in tracking the CNAs, MITRE promptly replied to clarify.…