Tag: OSVDB

  • Selling Vulnerabilities: Going Once…

    [This was originally published on the OSVDB blog.] A couple days ago, “fearwall” created an eBay listing for a “Brand new Microsoft Excel Vulnerability”. I have mirrored a screenshot in case the listing is removed, which I expect it to be. One has to wonder if companies like iDefense or Tipping Point will bid, since…

  • Symantec Bites the Hand That Feeds…

    [This was originally published on the OSVDB blog.] Just over ten years ago (95-09-15) *Hobbit* wrote a little tool called netcat (aka nc), swiftly dubbed the “TCP/IP Swiss Army knife”. *Hobbit* was affiliated with the l0pht, which was later purchased by @stake, which was later purchased by Symantec. At some point (circa 1998), Weld Pond…

  • National Computer Security Day

    [This was originally posted to the OSVDB blog.] November 30th was National Computer Security Day. It came and went .. did you notice? I previously blogged about National Cyber Security Awareness Month, calling into question the value of awareness months of any kind. Awareness days are no different. As William Knowles said, “might have been…

  • Perl Format Strings

    [This was originally published on the OSVDB blog.] Dyad Security announced a new vulnerability in the Webmin miniserv.pl web server component. The perl is vulnerable to a format string bug, which is mostly unseen in perl and quite common in C programs. The post calls this a “a new class of exploitable (remote code) perl…

  • SANS Top 20 Report Value

    [This was originally published on the OSVDB blog.] SANS has released their Top 20 Internet Security Vulnerabilities for 2005. Started in June 2000, “the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI released a document summarizing the Ten Most Critical Internet Security Vulnerabilities”. The list was designed to help administrators tackle…

  • Google Device Vulnerabilities, EULA and More…

    [This was originally published on the OSVDB blog.] H D Moore recently wrote that he discovered several vulnerabilities in Google Search Appliances. You can find details of these on the Metasploit Vulnerability Page, as well as search OSVDB for the corresponding entries. Normally this wouldn’t be worth posting about, however Moore’s comments on the Google…

  • Security Advisories, Mail Lists, and You

    [This was originally published on the OSVDB blog.] When a security researcher finds a vulnerability, they may choose to release the details in a formal advisory. The different between a random post to a mail list and an advisory typically involves the level of detail and the amount of peripheral information to the vulnerability. This…

  • Disclosure or Blatant Advertising?

    [This was originally published on the OSVDB blog and re-published on the Sydney Morning Herald.] Security advisories are a form of advertising. First and foremost, they are used to promote the technical capability of a security company and showcase the talent. If a researcher or company was completely altruistic, they would not release an advisory…

  • Advisory Archives 102 (why Mandriva hates VDBs)

    [This was originally posted on the OSVDB blog.] I recently made a post titled Mail List Archives 101 (or why SF hates VDBs) commenting about the restructure of the SecurityFocus mail list archive. In short, it’s a bad thing. Unfortunately for many people, especially vulnerability databases, this is happening more and more, on various sites.…

  • Vulnerability One Trick Pony?

    [This was originally published on the OSVDB blog.] I know the title of this may seem to be a slight on the researches I will use as examples, but that is not the case at all. Some people in the security community have a perception that some vulnerability researchers are so-called “one trick ponies“, meaning…