Tag: CVE

  • A critique of the summary of “Latent Feature Vulnerability Rankings of CVSS Vectors”

    Update: Corren McCoy has written a wonderful response to this blog where she goes into more detail about her conclusions as well as citing more portions of the original research that led to her conclusions. As she notes, there are several layers of condensing the original research at play here, which can dilute and distort…

  • Not all CVEs are Created Equal. Or even valid…

    [I wrote this early 2019 and it was scheduled for January 7 but it apparently did not actually publish and then got lost in my excessive drafts list. I touched it up this week to publish because the example that triggered this blog is old but the response is evergreen. Apologies for the long delay!]…

  • More authorities, more CVEs; Oh, and more commentary.

    On November 10, TechBeacon published a great article by Rob Lemos titled “More authorities, more CVEs: What it means for app sec teams” in which I was quoted, along with several other people. Like many articles of this nature, those who provide input often will talk for as long as half an hour and ultimately…

  • “The History of CVE” and A Couple of Objections

    I just read “The History of Common Vulnerabilities and Exposures (CVE)” by Ary Widdes from Tripwire and found it to be a great summary of the 20+ years of the program. I say that as an outspoken CVE and MITRE critic even! I do have a couple of objections however, with the conclusion, and then…

  • Why Anaconda INC Doesn’t Fully Understand CVEs

    Why Anaconda INC Doesn’t Fully Understand CVEs

    It’s worrisome that in 2020 we still have people in influential technical roles that don’t understand CVE. A friend told me earlier this year he was in a meeting where someone said that CVE IDs are assigned in order, so CVE-2020-9500 meant there were 9500 vulns in 2020 so far. Of course that is not…

  • Disclosure Repair Timelines?

    Disclosure Repair Timelines?

    For those in InfoSec, you have probably seen a vulnerability disclosure timeline. Part of that often includes the researcher’s interaction with the vendor including the vulnerability being fixed. After the issue is disclosed, the story typically ends there. Every so often, work needs to be done after that to ‘repair’ part of the disclosure. For…

  • WhiteSource on ‘Open Source Vulnerability Databases’ – Errata

    WhiteSource on ‘Open Source Vulnerability Databases’ – Errata

    [This was originally published on the OSVDB blog.] On September 8, 2016, Jason Levy of WhiteSource Software published a blog titled “Open Source Vulnerability Database”. Almost two years later it came across my radar and I asked via Twitter if WhiteSource was interested in getting feedback on the blog, since it contained errata. They never…

  • CVE and the matter of “unique” ID numbers

    Common Vulnerability Enumeration, now known as Common Vulnerabilities and Exposures (CVE) is a vulnerability database (ignore their silly claim to be a ‘dictionary’) that the information security industry relies on heavily, unfortunately. Per MITRE’s CVE page, “CVE® is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly…

  • Microsoft, CVE, MITRE, ETERNALBLUE, Headache…

    2019-02-14 Update: Thanks to Chris Mills @ MSRC (@TheChrisAM), who has been working behind the scenes since this blog was published, he has brought clarity to these assignments! MSRC is still potentially touching up some additional documentation to make it easier to see these associations, but here is the definitive answer from him: CVE-2017-0143 ShadowBrokers…

  • Case Study: Third-Party Plugins

    [This was originally published on RiskBasedSecurity.com in the 2018 Q3 Vulnerability QuickView Report.] Many people are familiar with content management systems (CMS), which are used in a variety of roles. Millions of people use them via hosted software such as WordPress.com and companies use them for blogging and knowledgebase systems. Historically, despite their wide deployment,…