Tag: OSVDB

  • OSVDB at DEF CON 13

    [This was originally published on the OSVDB blog.] Several project leaders and OSVDB volunteers will be attending DEF CON 13 later this week. If you would like to meet up, hang out, ask questions or pledge time (booze?!), feel free to track us down. Odds are we will be around the Alexis Park pool during […]

  • Zero Day Vulnerabilities – Sell Your Soul?

    [This was originally published on the OSVDB blog.] There have been several Vulnerability Sharing Clubs (VSC) in the past including iDefense, Immunity and others. For those who question this business model, consider Verisign just purchased iDefense for US $40 million. Still not a believer? Consider 3Com/TippingPoint is now offering a new VSC called the Zero […]

  • Vuln info from public sources and VDB ‘rules’?

    [This was originally published on the OSVDB blog.] This has come up in the past, and again more recently. Is information found on a vendor website, such as a changelog or bugzilla entry, fair game for inclusion in a vulnerability database? Some vendors seem to think this material is off limits. If a person keeps […]

  • Classification Headache: Remote vs Local

    [This was originally published on the OSVDB blog.] http://archives.neohapsis.com/archives/bugtraq/2005-07/0238.html From: Derek Martin (code[at]pizzashack.org)Date: Thu Jul 14 2005 – 21:39:30 CDT The issue has come up on bugtraq before, but I think it is worth raising it again. The question is how to classify attacks against users’ client programs which come from the Internet, e.g. an […]

  • ICAT > NVD

    [This was originally published on the OSVDB blog.] Someone brought this to my attention: http://nvd.nist.gov/National Vulnerability Database Welcome to NVD!!NVD is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on the CVE vulnerability naming standard. NVD contains:11708 Vulnerabilities482 US-CERT […]

  • Why Vulnerability Databases Can’t Do Everything

    [This was originally published on the OSVDB blog.] https://seclists.org/fulldisclosure/2005/Jul/292 From: Steven M. Christey (coley[at]mitre.org)Date: Fri Jul 15 2005 – 13:35:52 CDT Vulnerability databases and notification services have to pore through approximately 100 new public vulnerability reports a week. Correction: that’s HUNDREDS of reports, from diverse and often unproven sources, for about 100 unique vulnerabilities per […]

  • HTTP Request Smuggling

    [This was originally published on the OSVDB blog.] Last month, Watchfire released a new paper describing “HTTP Request Smuggling” attacks. Since the release of this paper, many products have been found prone to such attacks. Some of these include SunONE Web Server, Oracle Application Server Web Server, IBM WebSphere, BEA WebLogic, Tomcat, Microsoft Internet Information […]

  • Reverse Engineering Microsoft Patches in 20 Minutes

    [This was originally published on the OSVDB blog.] Halvar posted to the DailyDave mail list today showing a brief flash based demonstration of some of his reverse engineering tools. The presentation shows how one can reverse engineer a Microsoft patch using binary diff analysis, and figure out exactly what the vulnerability is, down to the […]

  • Second-Order Symlink Vulnerabilities

    [This was originally published on the OSVDB blog.] http://archives.neohapsis.com/archives/fulldisclosure/2005-06/0060.html While symlink vulnerabilities are not new, Steven Christey from CVE points out a recent trend in “second-order symlink” vulnerabilities. Based on the recent examples published, there is a strong chance many applications have been vulnerable to such attacks in the past.

  • Vulnerabilities and Stock Value

    [This was originally published on the OSVDB blog.] Study: Flaw disclosure hurts software maker’s stockRobert Lemos, SecurityFocus 2005-06-06http://securityfocus.com/news/11197 The study analyzed the release of 146 vulnerabilities and found that a software company’s stock price decreased 0.63 percent compared to the tech-heavy NASDAQ on the day a flaw in the firm’s product is announced. The study […]