2008 Industry News Coverage (Archive)
Below is a comprehensive monthly review of the news and other media’s coverage of CVE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.
SCMagazine.com, December 29, 2008
CVE was mentioned in a December 29, 2008 article entitled "Microsoft denies vulnerability in Windows Media Player" on SCMagazine.com. The article quotes CVE Technical Lead Steve Christey and CVE Team Member Mark Loveless, who explain that the vulnerability causes Windows Media Player to crash, but is probably not exploitable: "There’s always the potential in these types of situations, with this type of crash-that it could be it could be exploitable," Loveless said. But, the only impact of the vulnerability now is that users will have to restart their media player, Steve Christey, editor of Common Vulnerabilities and Exposures (CVE), a dictionary maintained by MITRE that provides the common names for publicly known security vulnerabilities, told SCMagazineUS.com Monday. Over the past three or four years, there has been an increase in vulnerabilities in media players, Loveless said. The operating system itself is being locked down and is getting harder to break into, so hackers are moving toward desktop software. Since many of these applications can connect to the web, that erodes the defenses of a traditional firewall. "Most hackers will go for the lowest-hanging fruit," Loveless said. "Desktop applications these days are some of the lowest-hanging fruit."
MITRE Web Site, December 1, 2008
CVE was mentioned in a December 1, 2008 MITRE news release entitled "MITRE Releases New Security Software" about its new, open source "Recommendation Tracker" software that "facilitates development of automated security benchmarks." "System administrators use benchmarks — essentially a set of recommendations — to securely configure an operating system or software application and then set up automatic testing to ensure proper configuration."
CVE is mentioned when the release notes that Recommendation Tracker is "the latest tool developed by MITRE in the last 10 years to help the security community produce automated, standardized benchmarks" and that four MITRE-run information security data standards — CVE, CCE, CPE, and OVAL — are used in the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) to enable automated vulnerability management, measurement, and policy compliance evaluation.
Government Computer News, July 16, 2008
CVE was mentioned in a July 16, 2008 article entitled "Oracle releases critical updates" in Government Computer News about Oracle including CVE Identifiers in its quarterly Critical Patch Update (CPU) documentation. The author provides three examples of the patches along with their corresponding CVE-IDs, and concludes the article with the following statement: "This quarterly patch cycle is the first to assign CVE Identifiers (CVE-IDs) to vulnerabilities, according to Mitre, which oversees CVE management."
InternetNews.com, July 16, 2008
CVE was mentioned in a July 16, 2008 article entitled "Oracle Patches 45 Vulnerabilities" on InternetNews.com about Oracle including CVE Identifiers in its quarterly Critical Patch Update (CPU) documentation. The author states: "Common Vulnerabilities and Exposure, or CVE, is a standard approach to providing a common identifier for vulnerabilities. The CVE system is widely used by several technology vendors such as Microsoft … and Mozilla to identify security items." The article also includes a quote from a blog post from Eric Maurice, manager for security in Oracle’s global technology business unit, who explains how Oracle’s adoption of CVE: "Starting with the July 2008 Critical Patch Update, Oracle will use these CVE identifiers to identify the vulnerabilities fixed in each new CPU, and will no longer use the proprietary numbering convention previously used in the CPU risk matrices. As a result, each new vulnerability fixed in the CPU will be assigned a unique CVE Identifier. This change was made possible because Oracle became a "Candidate Naming Authority" under the CVE program."
Oracle Web Site, July 15, 2008
On July 15, 2008 Oracle began including CVE Identifiers in its quarterly Critical Patch Update (CPU) documentation and is now a CVE Candidate Numbering Authority, joining other major software companies (Cisco, Red Hat, Debian, HP, FreeBSD, Ubuntu Linux, Microsoft, and Apple) already independently issuing CVE-IDs for their products.
Oracle promoted their adoption of CVE-IDs in a July 15, 2008 posting on their "Oracle Global Product Security Blog" about the July CPU in which the author states: "As mentioned earlier in this blog, this CPU is also characterized by the adoption of the Common Vulnerabilities and Exposure (CVE) system. As explained on the CVE program web site, "CVE Identifiers (also called "CVE-IDs," "CVE names," "CVE numbers," and "CVEs") are unique, common identifiers for publicly known information security vulnerabilities." Starting with the July 2008 Critical Patch Update, Oracle will use these CVE identifiers to identify the vulnerabilities fixed in each new CPU, and will no longer use the proprietary numbering convention that was previously used in the CPU risk matrices. As a result, each new vulnerability fixed in the CPU will be assigned a unique CVE Identifier. This change was made possible because Oracle became a ‘Candidate Naming Authority’ under the CVE program. Note that while the CPU documentation is the only authoritative source of information about vulnerabilities in Oracle products, and as such should remain the primary source of information about such vulnerabilities, the use of unique CVE identifiers should result in simplifying how Oracle vulnerabilities are identified in external security reports such as those produced by security researchers and vulnerability management systems. The use in the CPU documentation of CVE identifiers, along with the publication of the Common Vulnerability Scoring System (CVSS) base scores, is further evidence of Oracle’s customer focus in its vulnerability disclosure practices."
Government Computer News, March 3, 2008
CVE was mentioned in a March 3, 2008 article entitled "SCAP narrows security gap" in Government Computer News. The main topic of the article is the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) program, which is "a suite of tools to help automate vulnerability management and evaluate compliance with federal information technology security requirements."
CVE is mentioned as one of the "more mature standards" of the six SCAP includes: "The Common Vulnerabilities and Exposures Standard from Mitre, which provides standard identifiers and a dictionary for security vulnerabilities related to software flaws."
Three of the other standards the author references as mature are Open Vulnerability and Assessment Language (OVAL), a standard XML for security testing procedures and reporting; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities. The author also notes the two "less mature" standards SCAP uses: Common Configuration Enumeration (CCE), standard identifiers and a dictionary for system security configuration issues; and Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming.
SCAP is an expansion of NIST’s U.S. National Vulnerability Database (NVD) that is based upon the CVE List. NVD, CVE, and OVAL are all sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. The article was written by William Jackson.
SC Magazine, February 1, 2008
CVE was mentioned in an article entitled "Vulnerability management: weathering the storm" in the February 1, 2008 issue of SC Magazine. CVE is mentioned in a section entitled "Vulnerabilities on the rise" when the author states: "Last year gave rise to about 7,000 unique vulnerabilities, says Steve Christey, principal information security engineer at MITRE, which maintains the Common Vulnerabilities and Exposure (CVE) list, a dictionary that provides the common names for publicly known security vulnerabilities. Since 1999, MITRE has tracked some 28,000 vulnerabilities in packaged software. While the sheer number of bugs is certainly cause for concern, flaws do have one positive attribute: they provide a tangible way to assess risk, say experts."
CVE is mentioned again when the author explains that "Each CVE listing in the National Vulnerability Database, the U.S. government repository of standards based vulnerability management data, supports the Common Vulnerability Scoring System (CVSS), an open framework that standardizes the severity of vulnerabilities across heterogeneous platforms." Also included is a quote about CVSS who states that "CVSS is a way to provide a consistent risk metric. All of the vulnerability scanning tools and all of the alerts will use their own definition of risk, so a consumer of this information, if they’re not using CVSS, might get multiple interpretations of how significant a single vulnerability is."
The article also mentions MITRE’s Common Weakness Enumeration (CWE), which is based in part on CVE. The article was written by Dan Kaplan.
Processor Magazine, October 5, 2007
CVE was mentioned in the "Product Releases" article in Processor Magazine on October 5, 2007. CVE is mentioned in the "Security" section of the article regarding Secure Elements’ C5 Compliance Platform 3.3, which "…is the first product to work with NIST SCAP content to help federal government agencies meet the OMB Mandate. It also helps with compliance with NIST ISAP/SCAP initiative for auditing security configurations using OVAL, XCCDF, CPE, CVSS, CCE, and CVE."
Secure Elements Web Site, September 18, 2007
CVE was mentioned in a September 18, 2007 news release from Secure Elements, Inc. entitled "Secure Elements Announces New Version of IT Audit and Compliance Platform." CVE is mentioned in the portion of the release that describes how Secure Elements’ C5 Compliance Platform Version 3.3 adds enhanced NIST SCAP FISMA reporting: "For federal government agencies, C5 is the first enterprise solution that works directly with the NIST SCAP content to help them meet the OMB Mandate for secure desktop configurations as well as incorporating all of the latest standards as defined by the NIST ISAP/SCAP initiative for auditing security configurations utilizing OVAL, XCCDF, CPE, CVSS, CCE and CVE."
NetworkWorld, September 25, 2007
CVE was mentioned in an article entitled "Service-oriented security" in NetworkWorld on September 25, 2007. CVE is mentioned when the author discusses Security Content Automation Protocol (SCAP). The author states: "The basic premise is that the only way we’ll ever get a handle on the operational challenges of security management is to automate as many of the processes as possible. SCAP pulls information from a number of standardized information sources, including (warning: acronym soup ahead): the eXtensible Configuration Checklist Description Format (XCCDF), the Open Vulnerability Assessment Language (OVAL), Common Vulnerability Scoring System, (CVSS) and Common Vulnerabilities and Exposures (CVE) database." The article was written by Andreas M. Antonopoulos.