Tag: CVE

  • State of vulnerability research?

    [This was originally published on the OSVDB blog.] Steve Christey of CVE has posted to several lists asking What is the state of vulnerability research? Before you dismiss the question, give it serious thought for a few minutes. Have any ideas, opinions or concerns about where vuln research is heading? Where it should be? Drop…

  • Perl Format Strings

    [This was originally published on the OSVDB blog.] Dyad Security announced a new vulnerability in the Webmin miniserv.pl web server component. The perl is vulnerable to a format string bug, which is mostly unseen in perl and quite common in C programs. The post calls this a “a new class of exploitable (remote code) perl…

  • SANS Top 20 Report Value

    [This was originally published on the OSVDB blog.] SANS has released their Top 20 Internet Security Vulnerabilities for 2005. Started in June 2000, “the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI released a document summarizing the Ten Most Critical Internet Security Vulnerabilities”. The list was designed to help administrators tackle…

  • Vulnerability Classification Terminology

    [This was originally published on the OSVDB blog.] Local or remote, seems so simple when classifying a vulnerability. The last few years have really thrown this simple distinction for a loop. Think of a vulnerability that occurs when processing a file, such as a browser rendering a JPG or GIF, or a program like Adobe…

  • MusicPlasma for Vulnerabilities

    [This was originally published on the OSVDB blog.] A couple years back, I ran across musicplasma. For those not familiar with the engine, it allows you to type in your favorite music artist/band, and see “related” artists. So I type in “portishead” (mmmm) and see related bands like Tricky, and Sneakerpimps. These are all considered…

  • Classification Headache: Remote vs Local

    [This was originally published on the OSVDB blog.] http://archives.neohapsis.com/archives/bugtraq/2005-07/0238.html From: Derek Martin (code[at]pizzashack.org)Date: Thu Jul 14 2005 – 21:39:30 CDT The issue has come up on bugtraq before, but I think it is worth raising it again. The question is how to classify attacks against users’ client programs which come from the Internet, e.g. an…