-
VulnCon Day 2 Errata & Taking Ben Edwards to Task
[4/13/2025 Update: See very end, below last image, for an amusing update.][2/19/2026 Update: See very very end for an amusing update, yet positive!] Today was the second day of VulnCon 2025, a conference whose stated purpose is “to collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken…
-
The Curious Case of CVE-2015-2551 & CVE-2019-9081 – Doom and Gloom! Or not.
What’s Your Story CVE-2015-2551? This CVE-2015-2551 entry seems straight-forward, based on the description provided by CVE or NVD. Looking at the change history on NVD it is a bit more informative: So the ID was created for the 2015 calendar year, apparently not used, rejected seven years later, and confirmed by the assigning CNA (Microsoft).…
-
ChatGPT Exploited by Threat Actors, Doom and Gloom! Or not.
After years of chasing down typos in CVE IDs, now we all have to contend with poorly researched headlines and apparent to me ambulance chasing over mistaken product names. If you missed the news, threat actors are exploiting a vulnerability in ChatGPT! This is obviously a huge warning and we should all be afraid because…
-
APT Naming Woes Redux (Bonus ‘DOJ’ Oops!)
One aspect of vulnerability intelligence is also doing a best-faith effort to track the threat actors that are using the vulnerabilities. While that information often isn’t published, when it is we should include it. For example, less than 1% of data breaches publish the vulnerability associated with the initial compromise, and that is often the…
-
Has CWE Jumped the Shark?
The Common Weakness Enumeration (CWE) is a MITRE run, community-developed list of common software and hardware weaknesses (Wikipedia Page). The project defines a “weakness” as “a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities.” This taxonomy has several uses but they tend to…
-
Reason #283 Why InfoSec Has Failed
For those familiar with my social media, you know that I have frequently said that our industry is failing the commons. InfoSec represents a huge market, companies get paid exorbitant amounts of money, salaries can border on the ridiculous, and the concept of researchers being famous for their work is still alive. Meanwhile, vulnerabilities are…
-
Why Don’t You Fix CVE?
Historically when I pointed out problems in anything, I wasn’t the best at offering solutions. Sometimes I simply had none because the problem was complex and the solutions I came up with were problematic themselves. Other times I had ideas, but they were fairly high-level and abstract and I didn’t want to be like the…
-
CVE Farming – Problem & Solution
Blog Origins In the last year or two, I have increasingly used the term “CVE farming” in conversations and LinkedIn posts [1]. This has led a few people to ask what it meant and I gave a very cliff notes version of the answer. I started taking notes for this blog a while back expecting…
-
MITRE’s Phoning in New CNAs
On December 17, 2024, MITRE announced five new CVE Numbering Authorities (CNA) on their Twitter feed as well as their news page. However, there were actually seven added according to the CNAs page based on tracking it daily. Last year, when I asked about a discrepancy in tracking the CNAs, MITRE promptly replied to clarify.…
-
CISA Weekly Bulletins FOIA Results
Did you know that CISA publishes a weekly bulletin of “new vulnerabilities”, and has for a long time? They tend to have anywhere from 350 up to almost 1,000 vulnerabilities depending on the volume of CVEs published. The bulletins are entirely based on CVE IDs being published, not when the disclosures happened (just like CVE…