Tag: Symantec

  • Saving Bugtraq

    In July of 2019, many noticed that the Bugtraq mail list stopped having posts approved, including Art Manion at CERT. Since there are many other outlets for vulnerability disclosure, such as the Full-Disclosure mail list, Packetstorm, Exploit Database, and increasingly on GitHub, it didn’t receive much attention. It wasn’t like the days when the list…

  • Your yearly reminder to post to Full-Disclosure, not Bugtraq

    [This was originally published on the OSVDB blog.] [10/29/2020 Update: As of February 24, SecurityFocus has stopped moderating posts to the Bugtraq mail list without explanation or warning. This is apparently related to Broadcom acquiring Symantec, the owner of SecurityFocus.] This has been a long-recognized and proven thing, but every year we run into more…

  • Missing Perspective on the Closure of the Full-Disclosure Mail List

    [This was originally published on the OSVDB blog.] This morning I woke to the news that the Full-Disclosure mail list was closing its doors. Assuming this is not a hoax (dangerously close to April 1st) and not spoofed mail that somehow got through, there seems to be perspective missing on the importance of this event.…

  • “Threat Intelligence”, not always that intelligent.

    I’ve been in the security arena for some time now, like many of my friends and colleagues. For over a decade, we have been presented with several vendors that deliver yearly reports summarizing various attributes of the industry: vulnerabilities, hack attacks, spam, malware, breaches, and more. They are typically delivered in summaries that can be…

  • VDBs Devolving?

    [This was originally published on the OSVDB blog.] I’m big on Vulnerability Database (VDB) evolution. I tend to harp on them for not adding features, not making the data more accessible and generally doing the exact same thing they did ten years ago. While the target of my ire is typically functionality or usability, today…

  • Who’s to blame? The hazard of “0-day”.

    [This was originally published on the OSVDB blog.] This blog entry is probably worth many pages of ranting, examining and dissecting the anatomy of a 0-day panic and the resulting fallout. Since this tends to happen more often than some of us care to stomach, I’ll touch on the major points and be liberal in…

  • Vulnerability Research In Numbers

    [This was originally published on the OSVDB blog.] I’m so far behind in my daily routine and missed Thomas Ptacek’s post on Vuln Research In Numbers. Fortunately, Dave Aitel referenced the blog entry which prompted me to check it out. I so desperately want Ptacek to run his numbers against a complete OSVDB data set,…

  • No Exception for Symantec

    [This was originally published on the OSVDB blog.] Symantec posted a message to Bugtraq earlier this month announcing the availability of a new advisory. The advisory presumably covers a vulnerability or issue in Symantec On-Demand Protection. If you are reading this blog entry a year from now, that is all you may find on it.…

  • Depending on how you count flaws..

    [This was originally published on the OSVDB blog.] After flap, Symantec adjusts browser bug countDepending on how you count flaws, either IE or Firefox could be considered less secureNews Story by Robert McMillan MARCH 07, 2006 (IDG NEWS SERVICE) – A report issued today by Symantec Corp. seeks to satisfy users of both Mozilla Corp.’s…

  • OSVDB ThreatRiskWarnFUD Level 6.32

    [This was originally published on the OSVDB blog.] While chatting with a journalist about risks and ratings. I think the conversation started with a discussion on CVSS, but moved on to more general risk ratings. This lead me to wonder about the usefulness of Internet risk/threat ratings that some security companies maintain. Does anyone use…