Monday, February 4, 2013

CVE System Expands,
Adjusting To Increasing Security Flaw Discovery

--
My hero/nemesis

This article caught my eye as it features Dr. Charlie Miller, noted expert on Mac computer security:


Flaw Flood Busts Bug Bank

By Brian Krebs, 2013-02-03
http://krebsonsecurity.com/2013/02/flaw-flood-busts-bug-bank/
...Charlie Miller, a well-known bug finder and big proponent of researchers getting paid for finding flaws, said these numbers also reflect the reality that it is getting harder to find major bugs in big-name products from companies like Apple and Microsoft. Miller said if vulnerability numbers are increasing year over year, it is because more people are looking at more products.

“Vulnerabilities in ‘things we care about,’ by which I mean things that we personally use or will personally have to patch, have either gone down or haven’t gone up much,” Miller said. “The products that have been hammered on for a long time tend to be getting pretty secure.  Its all these new things nobody has ever audited that are accounting for all the new bugs.  Its pretty easy to find vulnerabilities in products that have never undergone security review and I think this is what we are seeing.”

CVE stands for Common Vulnerabilities and Exposures, as used in the term: CVE Index. The home page for the CVE Index is located at the Mitre Corporation website here:


http://cve.mitre.org/cve/


You can also look up CVE reports at the US National Vulnerability Database website (if you can get their clunky page to load!) located here:


http://web.nvd.nist.gov/view/vuln/search


Or, try digging around on their (clunky!) website here:


http://nvd.nist.gov


I often end up finding more thorough information about specific CVE reports at Security Focus and Security Tracker. Thank you to both!


 The big change in the CVE Index system is the expansion of their numbering to allow for  999,999 CVE reports per year, improving upon the current system allowing for only 9,999 reports per year.


Clearly, searching for software vulnerabilities has become a profitable business for both white and black hat hackers as well as malware rats. The CVE Index is the default system for documenting security holes, essential for serving up hearty helpings of fried malware and malware rats.




--

No comments:

Post a Comment