Industry News Coverage
Below is a comprehensive monthly review of the news and other media's coverage of CVE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.
MITRE Corporation Web Site, September 17, 2014
MITRE Corporation issued the news release below on September 17, 2014, which is available on the MITRE Web site at: http://www.mitre.org/news/press-releases/leading-software-vendors-and-cybersecurity-organizations-among-early-adopters-of.
Leading Software Vendors and Cybersecurity Organizations Among Early Adopters of MITRE's New Vulnerability Naming Format
MCLEAN, Va., September 17, 2014—The MITRE Corporation announced today that several leading software vendors and cybersecurity organizations are now consuming or producing Common Vulnerabilities and Exposures (CVE®) Identifier numbers—also called "CVE-IDs"—in the new numbering format. By taking this important step, these organizations ensure that their products, tools, and processes that use CVE will continue to work properly once CVE-ID numbers are issued using the new syntax, which could happen before the end of 2014, and no later than Tuesday, January 13, 2015.
CVE is the worldwide standard for information security vulnerability names, and the CVE List provides a dictionary of common names for publicly known information security vulnerabilities in software. MITRE operates CVE on behalf of and with the sponsorship of US-CERT in the office of Cybersecurity and Communications in the U.S. Department of Homeland Security.
The syntax of CVE-ID numbers (e.g., CVE-2014-0160, which had four digits at the end) was changed in January 2014 to accommodate five, six, or more end digits so that CVE can track 10,000 or more vulnerabilities for a given calendar year. The previous four-digit restriction only allowed up to 9,999 vulnerabilities per year, but a change was needed to keep pace with the growing number of vulnerabilities being reported annually. It is possible that 10,000 CVE-IDs will be necessary before the end of 2014.
If the format change is not implemented in a timely manner, it could significantly impact CVE users' vulnerability management practices. To encourage industry and other CVE users to accommodate the new format, MITRE is recognizing those organizations that have declared that they are, or will be, compliant with the new CVE-ID numbering format.
Early adopters of the new CVE-ID format include: Adobe; CERIAS at Purdue University; CERT Coordination Center (CERT/CC); CERT-IST; EMC Corporation; High-Tech Bridge SA; IBM; ICS-CERT; Information-technology Promotion Agency, Japan (IPA); Japan Computer Emergency Response Team Coordination Center (JPCERT/CC); LP3; Microsoft Corporation; National Institute of Standards and Technology, National Vulnerability Database (NVD); NSFOCUS; Oracle; Red Hat, Inc.; SecurityTracker; SUSE LLC; and Symantec Corporation.
"We are assigning new CVE-IDs at an unprecedented rate," said Steve Christey Coley, Principal Information Security Engineer at MITRE and editor of the CVE List. "It's too close to call right now, but we could exceed the 4-digit limit before the end of this year. If we need more than 9,999 CVE-IDs in 2014, we will follow the new syntax and start using 5-digit CVE-IDs. If organizations don't update to the new CVE-ID format, their products and services could break or report inaccurate vulnerability identifiers, making vulnerability management more difficult. To make it easy to update, we have added a section on the CVE website that provides free technical guidance and test data for developers and consumers to use to verify that their products and services will work correctly."
The CVE dictionary contains more than 63,000 unique entries. Products, services, and organizations around the world use CVE-IDs to help enhance information security, and CVE is formally recommended by the International Telecommunication Union (ITU-T) standards body for worldwide use.
"The clock is ticking," added Steve Boyle, Principal Information Security Engineer at MITRE and CVE program manager. "Even if we don't have to move to the new syntax before the end of 2014, we will ensure that we issue at least one 5-digit CVE-ID by Tuesday, January 13, 2015. All organizations that use CVE-IDs need to take action now to make the upgrade before this rapidly-approaching deadline."
About The MITRE Corporation
The MITRE Corporation is a not-for-profit organization that operates research and development centers sponsored by the federal government. Learn more about MITRE.
TechDay.com, August 25, 2014
CVE is mentioned as an example when the author states: "Another vulnerability worth discussing is CVE-2014-1776 (unfortunately, not all vulnerabilities get a cool name). This exploit uses an Internet Explorer vulnerability of the use after freed type. In this case, software can be made to reuse an address after this has been freed and, generally, causes the program to crash. If this is coupled with a heap spray (loading specific shell code on the heap and then having that freed pointer jump to your shell code) it is possible to have the target software execute code of your choice. This is how CVE-2014-1776 was exploited. The vulnerability is exploited when the victim visits a malicious HTML page while browsing. Once again, the firewall is not designed to block browsing traffic; no software is used that an AV can scan because the shell code is injected directly into memory. What happens next? Anything the attacker wants to do; provided there is enough space. The attacker can siphon information, install a backdoor or use the code to create a new account."
The author concludes the article by stating: "Vulnerabilities are found in all software and they are not limited to servers and enterprise software. They can be found in the smallest program as well as in the most complex systems. Any data that passes through your hardware / software, whether it is permanently stored or not, is at risk. The last thing any business, small or large, wants is their data falling into the wrong hands. Vulnerability management should be high up on the list of every sys admin or IT team. Ignore it at your own peril."
This article was written by Emmanuel Carabott.
SCMagazine.com, August 22, 2014
CVE was mentioned in an August 22, 2014 article entitled "JPMorgan Chase customers targeted in massive phishing campaign" on SCMagazine.com.
CVE is mentioned when the author states: "Customers of JPMorgan Chase are the target of a massive multifaceted phishing campaign impacting mostly people in the U.S., according to security firm Proofpoint. The campaign is noteworthy because of how "unsubtle" it is, Kevin Epstein, VP of advanced security and governance with Proofpoint, told SCMagazine.com on Friday, explaining that roughly 500,000 phishing emails have been sent out so far, with about 150,000 going out in the first wave. The phishing email looks quite legitimate and asks recipients to click to read a secure and encrypted message from JPMorgan Chase, according to a Thursday post. Clicking on the email will bring users to a phishing page requesting credentials; however, the phishing page also hosts the RIG Exploit Kit, which aims to take advantage of numerous vulnerabilities to download a variant of Dyre malware that was initially undetected by anti-virus. Among those vulnerabilities are CVE-2012-0507 and CVE-2013-2465 for Java, CVE-2013-2551 for Internet Explorer 7, 8 and 9, CVE-2013-0322 for Internet Explorer 10, CVE-2013-0634 for Flash, and CVE-2013-0074 for Silverlight, Epstein said."
This article was written by Adam Greenberg.
CSOonline.com, August 19, 2014
CVE was mentioned in an August 19, 2014 article entitled "Heartbleed to blame for Community Health Systems breach: This is the first time Heartbleed has been linked to such an incident" on CSOonline.com.
CVE is mentioned at the outset of the article, when the author states: "According to a blog post from TrustedSec, an information security consultancy in Ohio, the breach at Community Health Systems (CHS) is the result of attackers targeting a flaw OpenSSL, CVE-2014-0160, better known as Heartbleed. The incident marks the first case Heartbleed has been linked to an attack of this size and type."
The author concludes the article as follows: "Unfortunately, CHS may just be the latest, most public victim. Research released on Tuesday by Websense shows an increase in the number of attacks hitting hospitals and medical groups since last October. According to their research, the majority of the attacks are delivered via Heartbleed."
This article was written by Steve Ragan.
PCWorld.com, August 7, 2014
CVE was mentioned in an August 7, 2014 article entitled "NAS boxes more vulnerable than routers, researcher finds" on PCWorld.com. The main focus of the article is that "A security review of network-attached storage (NAS) devices from multiple manufacturers revealed that they typically have more vulnerabilities than home routers, a class of devices known for poor security and vulnerable code."
CVE is mentioned as follows: "So far, the security organization MITRE has assigned 22 CVE (Common Vulnerabilities and Exposures) identifiers for the issues the researcher has found, but the [NAS device evaluation] project has just begun and [many more are expected to be found] by the end of the year."
This article was written by Lucian Constantin.
CVE Identifier "CVE-2014-0224" Cited in Numerous Security Advisories and News Media References about the Most Critical OpenSSL Vulnerability since Heartbleed
CVE-2014-0224 was cited in numerous major advisories, posts, and articles related to the most recent critical OpenSSL vulnerability since Heartbleed—an SSL man-in-the-middle (MITM) vulnerability—including the following examples:
Other news articles may be found by searching on "CVE-2014-0224" using your preferred search engine. Also, please see the CVE Identifier page https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 for a list of advisories used as references.
MITRE Cybersecurity Blog, May 7, 2014
CVE, CWE, and CAPEC are the main topics of an article "Security Standards Help Stop Heartbleed" by CAPEC Technical Lead Drew Buttner on MITRE's Cybersecurity blog on May 7, 2014. "Heartbleed," or CVE-2014-0160, is a serious vulnerability in "certain versions of OpenSSL where it enables remote attackers to obtain sensitive information, such as passwords and encryption keys. Many popular websites have been affected or are at risk, which in turn, puts countless users and consumers at risk."
The article defines the Common Vulnerabilities and Exposures (CVE®), Common Weakness Enumeration (CWE™), and Common Attack Pattern Enumeration and Classification (CAPEC™) efforts and explains the problem each solves.
In sections entitled "CVE and Heartbleed," "CWE and Heartbleed,"and "CAPEC and Heartbleed," the article describes how CVE helped when the issue became public by assigning CVE-2014-0160 to what also was referred to as the Heartbleed bug, and how CWE and CAPEC can help prevent future Heartbleeds.
The author then concludes the article as follows: "Security automation efforts such as CVE, CWE, and CAPEC can help reduce the possibility of similar severe vulnerabilities such as Heartbleed in the future. But it is incumbent upon developers and other security professionals to actively leverage resources such as these to be better prepared for the next Heartbleed."
Read the complete article at http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/security-standards-help-stop-heartbleed.
CVE Identifier "CVE-2014-0160" Cited in Numerous Security Advisories and News Media References about the Heartbleed Vulnerability
The CVE Identifier assigned to the "Heartbleed" vulnerability—CVE-2014-0160—was released on April 7, 2014, the same day that the vulnerability was made public. The existence of this identifier has enabled the worldwide community to converse and share information about this vulnerability in a rapid an efficient manner.
CVE-2014-0160 was cited in nearly every major advisory, post, article, and response related to Heartbleed, including the following examples:
Numerous other news articles may be found by searching on "Heartbleed" and/or "CVE-2014-0160" using your preferred search engine. Also, please see the CVE Identifier page https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 for a list of advisories used as references.
Symantec Corporation Website, April 2014
CVE Identifiers are used throughout Symantec Corporation's "2014 Internet Security Threat Report, Volume 19," which was released in April 2014, to uniquely identify many of the vulnerabilities referenced in the report text and infographics.
Symantec is a member of the CVE Editorial Board, and its DeepSight Alert Services and SecurityFocus Vulnerability Database are recognized as "Officially CVE-Compatible" in the CVE-Compatible Products and Services section.
The free report is available for download at http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf.
ContinuousAssurance.org Website, April 29, 2014
CVE and Common Weakness Enumeration (CWE™) are included as references in an April 29, 2014 white paper entitled "Why Do Software Assurance Tools Have Problems Finding Bugs Like Heartbleed?" by James A. Kupsch and Barton P. Miller of the Software Assurance Marketplace (SWAMP) at the University of Wisconsin. The following were cited as references in the white paper, which also included the urls: CVE-2014-0160, CWE-130: Improper Handling of Length Parameter Inconsistency, and CWE-125: Out-of-Bounds Read.
CrosstalkOnline.org Website, March/April 2014
CVE is mentioned in the preface to the March/April 2014 issue of Crosstalk: The Journal of Defense Software Engineering, the main topic of which is "Mitigating Risks of Counterfeit and Tainted Components."
The preface was written by Roberta Stempfley, Acting Assistant Secretary at the U.S. Department of Homeland Security's Office of Cybersecurity and Communications, and CVE is mentioned as follows: "How can we collaboratively orchestrate industry and government response to these attacks [on information and communications technology (ICT) assets]? One way is through the Common Vulnerabilities and Exposures (CVE) List, which is an extensive listing of publicly known vulnerabilities found after ICT components have been deployed. Sponsored by the Department of Homeland Security (DHS), the ubiquitous adoption of CVE has enabled the public and private sectors to communicate domestically and internationally in a consistent manner the vulnerabilities in commercial and open source software. CVE has enabled our operations groups to prioritize, patch, and remediate nearly 60,000 openly reported vulnerabilities. Unfortunately, vulnerabilities are proliferating rapidly thus stretching our capabilities and resources. As we seek to discover and mitigate the root causes of these vulnerabilities, sharing the knowledge we have of them helps to mitigate their impact. In order to keep pace with the threat, we must facilitate the automated exchange of information. To achieve that, DHS sponsors "free for use" standards, such as: Common Weakness Enumeration (CWE), which provides for the discussion and mitigation of architectural, design, and coding flaws introduced during development and prior to use; Common Attack Pattern Enumeration and Classification (CAPEC), which enables developers and defenders to discern the attacks and build software resistant to them; Malware Attribute Enumeration and Characterization (MAEC), which encodes and communicates high-fidelity information about malware based upon behaviors, artifacts, and attack patterns; Structured Threat Information eXpression (STIX), which conveys the full range of potential cyber threat information using the Trusted Automated eXchange of Indicator Information."
The entire issue is available for free in a variety of formats at http://www.crosstalkonline.org/.
CrosstalkOnline.org Website, March/April 2014
CVE and Common Weakness Enumeration (CWE™) are included in an article written by MITRE Senior Principal Engineer Robert A. Martin entitled "Non-Malicious Taint: Bad Hygiene is as Dangerous to the Mission as Malicious Intent" in March/April 2014 issue of Crosstalk: The Journal of Defense Software Engineering, the main topic of which is "Mitigating Risks of Counterfeit and Tainted Components."
CVE and CWE are mentioned in a section entitled "Making Change through Business Value," as follows: "For an example of a behavior change in an industry motivated by a new perceived business value, consider that many of the vendors currently doing public disclosures are doing so because they wanted to include CVE  Identifiers in their advisories to their customers. However, they could not have CVE Identifiers assigned to a vulnerability issue until there was publicly available information on the issue for CVE to correlate. The vendors were motivated to include CVE Identifiers due to requests from their large enterprise customers who wanted that information so they could track their vulnerability patch/remediation efforts using commercially available tools. CVE Identifiers were the way they planned to integrate those tools. Basically the community created an ecosystem of value propositions that influenced the software product vendors (as well as the vulnerability management vendors) to do things that helped the community, as a whole, work more efficiently and effectively. Similarly, large enterprises are leveraging CWE Identifiers to coordinate and correlate their internal software quality/security reviews and other assurance efforts. From that starting point, they have been asking the Pen Testing Services and Tools community to include CWE identifiers in their findings. While CWE Identifiers in findings was something that others had cited as good practice, it was not until the business value to Pen Testing industry players made sense that they started adopting them and pushing the state-of-the-art to better utilize them."
CWE is also mentioned in a section entitled "Assurance for the Most Dangerous Non-Malicious Issues" that explains what CWE is and how the information "can assist project staff in planning their assurance activities; it will better enable them to combine the groupings of weaknesses that lead to specific technical impacts with the listing of specific detection methods. This provides information about the presence of specific weaknesses, enabling them to make sure the dangerous ones are addressed."
The entire issue is available for free in a variety of formats at http://www.crosstalkonline.org/.
NetworkWorld.com, March 26, 2014
CVE is mentioned in a March 26, 2014 article entitled "Biased software vulnerability stats praising Microsoft were 101% misleading" on NetworkWorld.com. The main topic of the article is a review of the "Secunia Vulnerability Review 2014" report.
CVE is mentioned when the author references the talk about the impact of the uncertainty in vulnerability statistics entitled "Buying into the Bias: Why Vulnerability Statistics Suck" at Black Hat Briefings 2013 that was co-presented by CVE List Editor Steve Christey and Brian Martin of the Open Security Foundation in Las Vegas, NV, on July 31, 2013.
The author states: "If a vulnerability report is misleading, then I can only imagine the amount of aggravation it causes some people, such as the gentlemen who presented "Buying Into the Bias: Why Vulnerability Statistics Suck" at Black Hat 2013. At that time, Jericho, the content manager of the Open Source Vulnerability Database (OSVDB), and Steve Christie, the editor of the Common Vulnerabilities and Exposures (CVE) list, announced, "Most of these statistical analyses are faulty or just pure hogwash. They use the easily-available, but drastically misunderstood data to craft irrelevant questions based on wild assumptions, while never figuring out (or even asking us about) the limitations of the data. This leads to a wide variety of bias that typically goes unchallenged, that ultimately forms statistics that make headlines and, far worse, are used for budget and spending." During their presentation, they added, "As maintainers of two well-known vulnerability information repositories, we"re sick of hearing about sloppy research after it's been released, and we're not going to take it any more." The author then discusses Brian Martin's (aka Jericho's) review of the Secunia report.
GCN.com, March 21, 2014
CVE is mentioned in a March 21, 2014 article entitled "When software development produces a lemon, make lemonade" on GCN.com. CVE is mentioned when the author states: "the Secure Development Lifecycle (SDL) that grew out of the Microsoft initiative has helped to change the way developers think about software security. The SDL process now shows up as a requirement in government procurements, and the National Security Agency says it has made an impact on OS security. "A fundamental goal of the SDL process is to reduce the attack surface," NSA said in an evaluation of Windows 7 security for the Defense Department and the intelligence community. "Since adoption of the SDL process, the number of Common Vulnerabilities and Exposures on Microsoft products in the National Vulnerability Database has declined." "A preliminary System and Network Analysis Center analysis has determined that the new Windows 7 security features, coupled with the use of the SDL process throughout the development cycle, has assisted in the delivery of a more secure product," the assessment concluded. We still are a long way from being as secure as we want to be or can be. But there has been progress."
Secunia Web Site, February 26, 2014
CVE-IDs are included in annual "Secunia Vulnerability Review 2014" report by Secunia that "Analyzes the evolution of software security from a global endpoint perspective. It presents data on vulnerabilities and the availability of patches, and correlates this information with the market share of programs to map the security threats to IT infrastructures." The report also explains what CVE is and how common identifiers improve security.
How CVE-IDs are used in the report is explained as follows: "CVE has become a de facto industry standard used to uniquely identify vulnerabilities which have achieved wide acceptance in the security industry. Using CVEs as vulnerability identifiers allows correlating information about vulnerabilities between different security products and services. CVE information is assigned in Secunia Advisories. The intention of CVE identifiers is, however, not to provide reliable vulnerability counts, but is instead a very useful, unique identifier for identifying one or more vulnerabilities and correlating them between different sources. The problem in using CVE identifiers for counting vulnerabilities is that CVE abstraction rules may merge vulnerabilities of the same type in the same product versions into a single CVE, resulting in one CVE sometimes covering multiple vulnerabilities. This may result in lower vulnerability counts than expected when basing statistics on the CVE identifiers."
The report is available for download at http://secunia.com/vulnerability-review/index.html.