2004 Industry News Coverage (Archive)

Below is a comprehensive monthly review of the news and other media's coverage of CVE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.

December 2004

Date: 12/2004
Publication: PredatorWatch Web Site

Byline: Gary S. Miliefsky
Headline: "Proactive Network Security: Do You Speak CVE?"

Excerpt or Summary:
CVE was the main topic of this white paper in which the author calls CVE a standard and describes what CVE is and isn’t; mentions "Special Publication 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme" issued by the USA National Institute of Standards and Technology (NIST) that recommends the use of the CVE naming scheme by government agencies; notes that CVE is funded by the U.S. Department of Homeland Security; and provides a link to the CVE Web site. The white paper also includes specific sections regarding CVE: "Do You Speak CVE?," "Keep Up To Date On CVEs," "Exploiting CVEs," "Removing CVEs," "Protect Against CVE Exploiters," "Audit Your Network For CVEs," "Lock The Doors Against CVE Exploits," and "Cleanup Your CVEs."

PredatorWatch, Inc. is listed on the CVE-Compatible Products and Servicespage and its PredatorWatch Auditor 128 and Update Service, PredatorWatch Auditor 16 and Update Service, and PredatorWatch Auditor Enterprise and Update Service were each awarded official "Certificates of CVE Compatibility" in November 2004.

Date: 12/2004
Publication: Department of Computer Science, Princeton University

Byline: Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel
Headline: "TR-718-04: Policy-based Multihost Multistage VulnerabilityAnalysis"

Excerpt or Summary:
CVE was mentioned in this technical report from the Department of Computer Science at Princeton University that introduces the concept of "MulVAL, an end-to-end framework and reasoning system that conducts multihost, multistage vulnerability analysis on a network." CVE names were used by the authors to identify the network vulnerabilities to be tested by MulVAL. CVE was also identified in a footnote along with the address for the CVE Web site: "Common Vulnerabilities and Exposures (CVE) is a list of standardized names for vulnerabilities and other information security exposures. http://cve.mitre.org".

Date: 12/2004
Publication: eWeek

Byline: eWeek Labs
Headline: "An Applications View on Security"

Excerpt or Summary:
CVE was mentioned in this article in which the main topic is a discussion about developers preventing security problems and that "three application firewall vendors—Teros Inc., NetContinuum Inc. and Imperva Inc.—threw down a challenge to other security vendors to submit their products to independent testing by International Computer Security Association Labs (a division of TruSecure Corp.) to determine their effectiveness against application-level attacks."

CVE was mentioned in a quote by Gary Miliefsky, CEO of PredatorWatch Inc., who states: "Most developers don't make adequate use of the Common Vulnerabilities and Exposures data at cve.mitre.org. I was speaking to a group the other night, and I said, 'Raise your hand if you know what a CVE is.' No one raised their hand. A developer needs to know when a product is opening a port or using any other resource what vulnerabilities it's opening.'"

PredatorWatch, Inc. and three PredatorWatch Auditor products are listed on the CVE-Compatible Products and Services page.

Date: 12/2004
Publication:Information Security Magazine

Byline: Jay Beale
Title: "'Big O' For Testing"

Excerpt or Summary:
CVE was mentioned in this article that discusses MITRE Corporation's OVAL project, in which the author states: "The Open Vulnerability Assessment Language (OVAL) project, headed by nonprofit MITRE and funded by the Department of Homeland Security's U.S.-CERT, is being developed as a standardized process by which security tool creators, operating system vendors and security professionals test systems for exploitable vulnerabilities. XML-based OVAL leverages MITRE's Common Vulnerabilities and Exposures (CVE) Initiative . . . [and] gives security managers the ability to test for a particular CVE vulnerability in OVAL-compliant applications and platforms. OVAL will tell testers whether vulnerable software is installed and, if so, whether it has a vulnerable configuration."

MITRE's OVAL Web site is listed on the CVE-Compatible Products and Services page and OVAL-IDs are included as references in CVE names when applicable.

Date: 12/23/2004
Publication: VirusBulletin.com

Title: "Synchronized malware identification for the new year"

Excerpt or Summary:
CVE was mentioned twice in this article about the MITRE and US-CERT's Common Malware Enumeration (CME) initiative. CVE is mentioned in the first paragraph, which states: "The US Department of Homeland Security's Computer Emergency Readiness Team, US-CERT, is set to coordinate a Common Malware Enumeration (CME) initiative, according to a letter sent to the SANS Institute and signed by representatives of the DHS, Symantec, Microsoft, McAfee, and Trend Micro. Rather like Mitre Corp's Common Vulnerabilities and Exposures (CVE) list, US-CERT plans to maintain and coordinate a database of malware identifiers." CVE is mentioned a second time when the article states: "By building upon the success of CVE and applying the lessons learned, US-CERT, along with industry participants ... hopes to address many of the challenges that the anti-malware community currently faces."

Date: 12/7/2004
Publication:Network Computing's Security Pipeline

Byline: Joanne Vanauken
Title: "Test Run: PredatorWatch's Auditor 128"

Excerpt or Summary:
CVE was mentioned in the second paragraph of this product review, in which the author states: "To identify vulnerabilities and test compliance to HIPAA, Sarbanes-Oxley, ISO-17799 and other regulations, Auditor uses the CVE (Common Vulnerabilities and Exposures) dictionary of known threats."

PredatorWatch, Inc. and three PredatorWatch Auditor products are listed on the CVE-Compatible Products and Services page.

November 2004

Date: 11/2004
Publication: Information Security Magazine

Byline: George Wrenn
Title: "Products: Vulnerability Assessment"

Excerpt or Summary:
CVE was mentioned in a product review of Sunbelt Software's vulnerability assessment scanner, Sunbelt Network Security Inspector (SNSI), in Information Security Magazine's "Products" column. The author states: "SNSI ships with more than 3,100 vulnerability signatures, including the SANS/FBI Top 20, CVE, CIAC, CERT and FedCIRC advisories." CVE is also mentioned later in the review, when the author states: "Any identified vulnerabilities are displayed on the console with links to additional information, such as CERT or CVE."

Sunbelt Software and its Network Security Inspector product are listed on the CVE-Compatible Products and Services page.

Date: 11/9/2004
Publication: SecurityProNews.com

Byline: George Wrenn
Title: "Citadel's Hercules Compliant With CVE Initiative"

Excerpt or Summary:
CVE compatibility was the main topic of this article about Citadel Security Software Inc. announcing that its ". . . [Automated Vulnerability Remediation] solution, Hercules, has been certified as fully compliant and compatible with the Common Vulnerabilities and Exposures (CVE) Initiative."

The article included a quote by Carl Banzhof, CTO of Citadel Security Software, who states: "Prior to this award ceremony, only 14 products or services from 10 organizations had achieved the final phase of MITRE's formal CVE Compatibility Process and become officially CVE-compatible. We are proud to be the first automated vulnerability remediation solution to meet the CVE compatibility requirements. By achieving full CVE compatibility for Hercules, our customers now have better vulnerability coverage, easier interoperability and enhanced security across the enterprise." The release also included a quote by Kent Landfield, a CVE Editorial Board member since 1999 and Security Group Director for Citadel, who states: "The CVE Initiative brings consistency and interoperability to the security and computing community. The CVE Compatibility Process is a formal evaluation of submitted information security products and services. The testing and certification process assures products meet the criteria set out by the CVE Initiative to prove they are CVE-compatible."

Citadel Security Software Inc. and Hercules are listed on the CVE-Compatible Products and Services page.

Date: 11/30/2004
Publication: ZDNet

Byline: Gary Miliefsky
Headline: "A guide to proactive network security"

Excerpt or Summary:
CVE was mentioned throughout this article advocating proactive network security, in which the author uses CVE names as a synonym for computer vulnerabilities: ". . . a single enterprise can spend thousands on firewalls, VPNs, antivirus and IDS systems, while the real network security culprits, "Common Vulnerabilities and Exposures" (CVEs), go largely undetected. CVEs are essentially holes in applications that can be attacked by hackers and cyber terrorists to steal information or bring down networks. CVEs are a real problem and according to the 2004 E-Crime Survey are the systemic cause of over 90 percent of all network security breaches."

The author advocates a number of steps to proactive network security including developing and employing a security policy, locking down mobile devices, turning on wireless encryption, using and patching routers, using firewalls, downloading and installing commercial-grade security tools, disabling potentially exploitable browser objects, constantly keeping up with the latest threats, and closing known vulnerabilities. The author states: "But preventing the attack with a vulnerability management system to eliminate CVEs is the most important component [of proactive network security]."

Regarding closing known vulnerabilities the author states: "Known weaknesses in systems are called Common Vulnerabilities and Exposures (CVEs), compiled and documented by the MITRE organization. These vulnerabilities should be eliminated from every system on your network by applying patches or taking other actions, as required. Technology is available to automatically detect and eliminate CVEs. More information is detailed at the cve.mitre.org Web site."

Date: 11/9/2004
Publication: Citadel Security Software Web Site

Headline: "Citadel Security Software's Hercules Awarded Certificate of Compatibility for Full CVE Compliance"

Excerpt or Summary:
CVE compatibility was the main topic of this press release by Citadel Security Software Inc., in which Citadel announces that its ". . . [Automated Vulnerability Remediation] solution, Hercules, has been certified as fully compliant and compatible with the Common Vulnerabilities and Exposures (CVE) Initiative."

The release included a quote by Carl Banzhof, CTO of Citadel Security Software, who states: "Prior to this award ceremony, only 14 products or services from 10 organizations had achieved the final phase of MITRE's formal CVE Compatibility Process and become officially CVE-compatible. We are proud to be the first automated vulnerability remediation solution to meet the CVE compatibility requirements. By achieving full CVE compatibility for Hercules, our customers now have better vulnerability coverage, easier interoperability and enhanced security across the enterprise." The release also included a quote by Kent Landfield, a CVE Editorial Board member since 1999 and Security Group Director for Citadel, who states: "The CVE Initiative brings consistency and interoperability to the security and computing community. The CVE Compatibility Process is a formal evaluation of submitted information security products and services. The testing and certification process assures products meet the criteria set out by the CVE Initiative to prove they are CVE-compatible."

Citadel Security Software Inc. and Hercules are listed on the CVE-Compatible Products and Services page.

Date: 11/9/2004
Publication: DragonSoft Security Associates Web Site

Headline: "ASIA Vulnerability Assessment Leader DragonSoft Awarded CVE-Compatibility Certificate"

Excerpt or Summary:
CVE compatibility was the main topic of this press release by DragonSoft Security Associates, Inc., in which DragonSoft announces that "DragonSoft is the first and only Taiwan security developer [to receive a Certificate of Official CVE Compatibility] among 125 security vendors in the world" and that receipt of the certificate is a major milestone for DragonSoft.

DragonSoft Security Associates, Inc. and DragonSoft Secure Scanner are listed on the CVE-Compatible Products and Services page.

Date: 11/9/2004
Publication: eEye Digital Security Web Site

Headline: "Vulnerability Management Leader eEye Digital Security Awarded CVE-Compatibility by MITRE Corporation"

Excerpt or Summary:
CVE compatibility was the main topic of this press release by eEye Digital Security, in which eEye announces that "its industry-leading network security scanner Retina has been awarded compatibility with the Common Vulnerabilities and Exposures (CVE) . . ." The release also includes a quote by Firas Raouf, eEye's Chief Operating Officer, who states: "Retina's recognition as one of the first network security scanners to achieve CVE-compatibility demonstrates eEye's commitment to interoperability throughout the security industry. Our world-class research team has discovered more critical security vulnerabilities than any other, so we understand the compelling need for naming standards to effectively communicate these vulnerabilities to the security community."

eEye Digital Security and Retina Network Security Scanner are listed on the CVE-Compatible Products and Services page.

Date: 11/9/2004
Publication: nCircle Network Security Web Site

Headline: "nCircle Recognized for Common Vulnerabilities Exposure Compatibility"

Excerpt or Summary:
CVE compatibility was the main topic of a November 9, 2004 press release by nCircle Network Security, Inc. entitled "nCircle Recognized for Common Vulnerabilities Exposure Compatibility." In the release nCircle announces that it "has been formally recognized for Common Vulnerabilities Exposure (CVE) compatibility for its IP360 Vulnerability Management System." The release further states: "The award, presented to nCircle this week during the CSI Computer Security Conference in Washington, DC, recognizes security products that have incorporated MITRE Corporation's CVE names in its vulnerability search databases and other information security products and services."

The release also includes a quote by Tim Keanini, Chief Technical Officer at nCircle, who states: " nCircle actively supports standardization efforts in the security market, including the CVE's common lexicon for the vulnerability namespace. We are committed to ensuring nCircle's IP360 product continues to support CVE names, and provides customers with the best tools for vulnerability management."

nCircle Network Security, Inc. and its IP360 Vulnerability Management System are listed on the CVE-Compatible Products and Services page.

Date: 11/9/2004
Publication: SAINT Corporation Web Site

Headline: "SAINTbox and WebSAINT Are Certified CVE-Compatible"

Excerpt or Summary:
CVE compatibility was the main topic of a November 9, 2004 press release by SAINT Corporation entitled "SAINTbox and WebSAINT Are Certified CVE-Compatible." In the release SAINT announces that "On Monday, November 8th, MITRE Corporation awarded their CVE (Common Vulnerabilities and Exposures) Certificate of Compatibility to two SAINT Corporation products: SAINTbox and WebSAINT. During an awards ceremony at the 31st Annual Computer Security Conference and Exhibition in Washington, D.C., SAINT Corporation was honored for their work in this effort and passing the final and most rigorous phase of the compatibility process."

Also included in the release is a quote by Sam Kline, SAINT's Chief Development Engineer, who states: "We are pleased to be adding SAINTbox and WebSAINT to our growing suite of CVE-compatible tools. The CVE naming standard fills an important need in today's security community, and maintaining accurate references in all of our products has always been and will remain a high priority for us."

SAINT Corporation and its SAINTbox and WebSAINT products are listed on the CVE-Compatible Products and Services page.

Date: 11/8/2004
Publication: Computerworld

Byline: Mark Hall
Headline: "Survey Shows IT 'Out of Shape ..."

Excerpt or Summary:
CVE was mentioned briefly in this opinion article that mentions the release of PredatorWatch, Inc.'s Auditor 128 product. The release states: "According to Gary Miliefsky, CEO of PredatorWatch Inc. in North Chelmsford, Mass., as soon as a PredatorWatch Auditor 128 appliance is connected to a wireless LAN, it builds a database on up to 256 IP-based systems and conducts common vulnerability exposure (CVE) tests that reveal "anything that can be exploited." About the size of a paperback, the Auditor 128 provides information such as recommendations of patches needed for Windows-based systems. The appliance can also block unauthorized network access . . . plus a monthly subscription fee. . . for CVE updates."

PredatorWatch, Inc. and its PredatorWatch Auditor 128 and Update Service, along with two other PredatorWatch products, are listed on the CVE-Compatible Products and Services page.

Date: 11/5/2004
Publication: PredatorWatch Web Site

Headline: "PredatorWatch Launches World's Most Comprehensive Enterprise Security Management Appliance for Small- to Mid-Sized Networks"

Excerpt or Summary:
CVE was mentioned in this press release about PredatorWatch, Inc.'s Auditor 128 product. CVE is mentioned in the second paragraph of the release, which states: "A single business can spend hundreds or even thousands of dollars on countermeasures such as intrusion detection systems, firewalls and anti-virus software, while the real network security culprits are common vulnerabilities and exposures (CVEs). CVEs, anything that can be exploited on any computer, are the systemic cause of over 95% of all network security breaches."

CVE is also mentioned in a quote by a PredatorWatch customer, Stephen Irish, executive vice president, Enterprise Bank and Trust Company, who states: ". . . the company's technology helps ensure newly deployed servers are locked down and allows us to remain up-to-date on the latest vulnerabilities and exposures on the CVE List. The technology also detects and diagnoses potential security flaws that could cause our bank to be at risk and non-compliant with GLBA and FDIC requirements."

PredatorWatch, Inc. is listed on the CVE-Compatible Products and Services page and its PredatorWatch Auditor 128 and Update Service, PredatorWatch Auditor 16 and Update Service, and PredatorWatch Auditor Enterprise and Update Service each recently received official "Certificates of CVE Compatibility" at MITRE's compatibility awards ceremony on November 18th at the CSI Computer Security Conference in Washington, D.C., USA.

October 2004

Date: 10/1/2004
Publication: Baseline Magazine

Byline: Debbie Gage
Headline: "AGIA: Identity Crisis"

Excerpt or Summary:
CVE was mentioned briefly in this article about a company's network being hacked and their follow-up to the incident, including using CVE-compatible products to address the problems. CVE was mentioned as follows: "The [PredatorWatch] appliance, which runs on a secured version of Linux, finds IP addresses and scans the hardware or software associated with them for Common Vulnerabilities and Exposures (CVEs), a federally funded list of flaws maintained by the MITRE Corp. When it finds flaws-a Web server with an extra open port, for example, like the one that attackers probably used to take control of the hosting company's server-it can flag them. PredatorWatch also integrates with automated patch management software and issues reports classifying vulnerabilities by severity. Each is identified by IP address and can include likely scenarios of attack, suggested remedies, and any impact on a company's regulatory requirements."

PredatorWatch, Inc. and three PredatorWatch products are listed on the CVE-Compatible Products and Services page.

September 2004

Date: 9/2004
Publication: Security Information and Communications Magazine (Spanish)

Byline: Robert A. Martin
Headline: "CVE and Its Impact on the Management of Vulnerabilities"

Excerpt or Summary:
CVE was the main topic of this Spanish-language article in SIC magazine. Written by CVE Compatibility Lead Robert A. Martin, the article describes what CVE is and isn't and explains how vulnerability management can be enhanced using the CVE naming scheme and the adoption of CVE-compatible products and services.

August 2004

Date: 8/20/2004
Publication: Information Security Magazine

Byline: Lisa Phifer
Headline: "No sweat appliances"

Excerpt or Summary:
CVE was mentioned briefly in this article in a section entitled "Going Deep to Detect Intruders," in which the author states: "With the rise of "blended threats," it's getting harder to differentiate viruses from nonviral exploits. Viruses that slip past AV scans may generate traffic that IDSes can catch. Some products look for CVE-based signatures, attack methods and exploits, while others look for anomalies such as malformed packets, state violations and prohibited values."

Date: 8/8/2004
Publication: PatchAdvisor Web Site

Headline: "PatchAdvisor, Inc. Announces MITRE-CVE Compatibility"

Excerpt or Summary:
CVE was the main topic of this press release by PatchAdvisor, Inc., which states: "[PatchAdvisor] has announced that its products are now compatible with MITRE Corporation's Common Vulnerabilities and Exposures ("CVE") dictionary. CVE names are used by information security product/service vendors and researchers as a standard method for identifying vulnerabilities and for cross-linking with other repositories. Each CVE name includes the following: the CVE identifier number (i.e., "CVE-1999-0067"); indication of "entry" or "candidate" status; brief description of the security vulnerability or exposure; and any pertinent references (i.e., vulnerability reports and advisories or OVAL-ID). "We are very enthusiastic about our inclusion in the CVE compatibility program" says Jeff Fay, PatchAdvisor's CEO. "The ability to standardize the intelligence that we map to our customers' assets is a crucial element in defining PatchAdvisor's role in the vulnerability and patch management market space." The release also stated: "Visit the CVE-Compatible Products and Services page, http://cve.mitre.org/, to find out about the [196] products that use CVE names, or see Organizations with CVE Names in Advisories for a list of the [57] organizations to-date that are including or have included CVE names in their advisories."

PatchAdvisor is listed on the CVE-Compatible Products and Services page.

July 2004

Date: 7/2004
Publication: Security Horizon

Byline: Robert A. Martin
Headline: "A CVE-Based Security Management Model"

Excerpt or Summary:
This article, which was written by CVE Compatibility Lead Robert A. Martin, describes what CVE is and isn't and explains how vulnerability management can be enhanced using the CVE naming scheme. The article also describes how CVE compatibility enables enterprise security through the use of shared CVE names, and how using CVE-compatible products and services improves how an organization responds to security advisories. A graphical representation of a CVE-enabled process is also included.

Date: 7/27/2004
Publication: Australian Financial Review

Byline: Peter Moon
Headline: "Putting a name to evil and its Trojan offspring"

Excerpt or Summary:
CVE was mentioned in this article about software vulnerabilities in which the author states: "CVE serves a number of purposes. The mission statement is to catalogue information technology security risks, allotting a unique identifier to each one. A few years back, the same virus, or Trojan, was often identified by half a dozen different names, depending on which security Web site you visited. Under the CVE regime, each unique species has a registration number. It makes it a lot easier for network administrators to see whether there are 10 threats out there, or 10 variants of a threat, or a single threat with 10 names."

In the article, the author calls CVE a standard and describes what it is; mentions the number of CVE names, including those with entry and those with candidate status; notes that CVE is funded by the U.S. Department of Homeland Security; and provides a link to the CVE Web site.

The article is available for purchase on the Australian Financial Review Web site.

Date: 7/15/2004
Publication: Network World Fusion, Network World Security Newsletter

Byline: M. E. Kabay
Headline: "CIRT management: Rapid alerts"

Excerpt or Summary:
CVE was included in this article about three important aspects of early warnings in Computer Incident Response Team (CIRT) management: "notification of vulnerabilities, notification of threats and notification of incidents." CVE is included in the "Vulnerabilities" section of the article, in which the author states: "Finally, regular readers will recall that the Common Vulnerabilities and Exposures (CVE) dictionary (http://cve.mitre.org/) is a superb compendium of standardized names for vulnerabilities and exposures. MITRE writes, "CVE aspires to describe and name all publicly known facts about computer systems that could allow somebody to violate a reasonable security policy for that system. http://cve.mitre.org/about/terminology.html."

The author further states: "MITRE also uses the term "exposure" and defines it as "security-related facts that may not be considered to be vulnerabilities by everyone." You can download the CVE in various formats or you can use the ICAT Metabase ( http://icat.nist.gov/icat.cfm ) to search the CVE for various subsets of vulnerabilities (e.g., by product, version, type, and so on). At the time of this writing (late June) there were 6,663 vulnerabilities in the CVE. As a side note, of these, 1,383 involved buffer overflows (about one-fifth)."

National Institute of Standards and Technology's (NIST) ICAT database is listed on the CVE-Compatible Products and Services page, and NIST is a member of the CVE Editorial Board.

June 2004

Date: 6/24/2004
Publication: Techworld Web site

Byline: Matthew Broersma
Headline: "Mac OS X security myth exposed — And thousands of other products and OSes given security rundown"

Excerpt or Summary:
CVE was mentioned in this article in a paragraph about efforts to list known vulnerabilities: "[Secunia Security Advisories database] allows enterprises to gather exact information on specific products, by collating advisories from a large number of third-party security firms. [Other organizations include] the Open Source Vulnerability Database (OSVDB) and the Common Vulnerabilities and Exposures (CVE) [List], which provides common names for publicly known vulnerabilities."

Date: 6/24/2004
Publication: Cover Pages Web site

Byline: OASIS
Headline: "Application Vulnerability Description Language (AVDL) Becomes an OASIS Standard"

Excerpt or Summary:
OVAL is mentioned in a news item on this OASIS-sponsored Web site about the version 1.0 specification of the OASIS Application Vulnerability Description Language being approved as an OASIS Standard. OVAL is referenced as an inspirational source for elements of the document: "The AVDL TC Chairs indicate that some features of the AVDL specification design were inspired by MITRE's Open Vulnerability Assessment Language (OVAL), which uses the Common Vulnerabilities and Exposures (CVE) [List]."

AVDL stands for Application Vulnerability Description Language, an interoperability standard being proposed by four application security vendors as part of the Organization for the Advancement of Structured Information Standards (OASIS) standards process. AVDL is different from the OVAL effort because their objective is to create more interoperability among security tools by using XML to describe application security vulnerability information that tools can exchange, while the main focus of OVAL is to provide a baseline method for performing vulnerability testing on end systems. OVAL has two main pieces: an OVAL XML language standard for describing the software configuration state of end systems, and OVAL content consisting of libraries of logical tests for the presence of a particular vulnerability on particular end systems (these tests are expressed as software configuration conditions in the OVAL language). Established prior to AVDL, OVAL is an information security community effort that includes participation from numerous organizations around the world through the OVAL Community Forum and the OVAL Board. This participation includes Citadel Security Software, one of the organizations proposing AVDL, which is also a member of the OVAL Board.

The MITRE Corporation manages and maintains both CVE and OVAL.

Date: 6/7/2004
Publication: Mac News Network Web site

Byline: OASIS
Headline: "Apple fixes URI exploits with security update"

Excerpt or Summary:
CVE names were included in this article Apple Computer, Inc fixing URI exploits in a recent security update. The article referenced CAN-2004-0538 and CAN-2004-0539, and included links to the pages for these two CVE names on the CVE Web site.

Date: 6/7/2004
Publication: eWeek.com

Byline: David Morgenstern
Headline: "Apple Patches App-Launching Vulnerability in Mac OS X"

Excerpt or Summary:
CVE was mentioned in this article about a security update from Apple Computer, Inc. regarding a "new patch [Security Update 2004-06-07, that] addresses vulnerabilities when launching documents and applications from a Web page . . . for both client and server versions of Mac OS X 10.3 (Panther) and Mac OS X 10.2 (Jaguar)." CVE is mentioned in the third paragraph of the article, in which the author states: "The update specifically fixes two security issues mentioned by the Common Vulnerabilities and Exposures list—which is funded by the U.S. Department of Homeland Security . . . " The article also includes a link to the CVE Web site.

May 2004

Date: 5/2004
Publication: Communications News

Byline: Security Products Column
Headline: "Internet/WAN Networks Security Products"

Excerpt or Summary:
CVE was included in a Security Products column review of Sunbelt Software's Network Security Inspector. CVE is mentioned as one of the features: "The solution uses an automatically updated database that complies with the MITRE Common Vulnerabilities and Exposures List and contains the latest SANS/FBI top 20 vulnerabilities."

Date: 5/2004
Publication: Wide Open Magazine

Byline: Mark Cox
Headline: "Security Response at Red Hat"

Excerpt or Summary:
CVE was included as a question topic in this Q&A article in the 2004 premiere issue of Red Hat's Wide Open magazine. The article is an interview with Mark Cox, Red Hat Security Response team lead, about how Red Hat deals with security vulnerabilities. CVE is the topic of the following question: "In Red Hat Security Advisories you refer to CVE names. What are they and why are they useful?" In his answer Cox describes what CVE is and isn't, notes that Red Hat is a member of the CVE Editorial Board, and mentions that the inclusion of CVE names has made Red Hat Security Advisories "more consistent." Cox further states: ". . . all vulnerabilities that have affected Red Hat products from 2000 to date have been given CVE names and all are searchable on [Red Hat's] Web site and in our advisories." The article also includes a screen capture of the CVE Web site showing the CVE name page for CVE-2001-0731.

Red Hat, Inc. is a member of the CVE Editorial Board; is listed on the CVE-Compatible Products/Services page, which includes one product that has been recognized as officially CVE-compatible and awarded a certificate of compatibility; and Red Hat Security Advisories are listed on the Organizations with CVE Names in Advisories page.

Date: 5/24/2004
Publication: SecuritySearch.com

Byline: Stephen Mencik
Headline: "Ask the Experts: Infrastructure and Network Security"

Excerpt or Summary:
CVE was included in an answer in this column for a question about vulnerability assessment scanners. The author recommends two scanners to the reader, Nessus and SARA, both of which are listed on the CVE-Compatible Products and Services page. CVE is mentioned when the author states: "SARA is nice in that the reports that it produces link to the CVE [List] and generally tell you how to fix the problems that are found."

Date: 5/20/2004
Publication: Network Computing Magazine

Byline: Patricia Thomas
Headline: "Rev Tracker: SSL VPN, security servers, Security Policy Enforcement"

Excerpt or Summary:
CVE was mentioned briefly in this product review article: "Core Security Technologies Core Impact 4.0 Release date 5.26.2004. Core Impact 4.0 performs penetration tests quickly and automatically replicates attack steps from reconnaissance through exploit, cleanup and reporting. Exploit search functions investigate by target platform, service, and CVE (Common Vulnerabilities and Exposure) number or name. www.coresecurity.com."

Core Security Technologies and Core Impact are listed on the CVE-Compatible Products and Services page.

Date: 5/17/2004
Publication: Security Wire Perspectives, Vol. 6, No. 39

Byline: Robert A. Martin
Headline: "Security Patches Got You Running in Circles?"

Excerpt or Summary:
MITRE's Open Vulnerability Assessment Language (OVAL) project entitled "Security Patches Got You Running in Circles?" Written by CVE Compatibility Lead and OVAL Team Member Robert A. Martin, the article describes what OVAL is and how system administrators would have an easier time managing patches if their vendor's security advisories included OVAL definitions. OVAL is the common language for security experts to discuss the technical details of how to identify the presence of vulnerabilities on computer systems using Community Forum-developed XML definitions, each of which are based on a CVE name.

CVE is mentioned as one of two main reasons for recommending OVAL: "MITRE . . . has developed this initiative to follow the Common Vulnerabilities and Exposures (http://cve.mitre.org) model. Where CVE assigns standard names to vulnerabilities, OVAL takes the next step. It's designed to collect and document the latest vulnerability testing ideas, and make them publicly available so that your tool vendors and service providers can incorporate them into the information security products and services you use." The article also addresses the question of why organizations should adopt OVAL: "It will save your system and security administrators time, and that translates to lower overhead for you. They can also secure your systems more quickly because they can apply the workarounds and won't have to wait to deploy a patch. Scanning tools will immediately report on successful mitigation, showing the success of any workarounds your system and security administrators have implemented whether or not they applied the patches."

The article also provides link to the CVE and OVAL Web sites.

Date: 5/3/2004
Publication: TechRepublic.com

Byline: John McCormick
Headline: "TCP Reset Spools a Serious Flaw with Routers: Protect Yourself"

Excerpt or Summary:
CVE was mentioned at the end of this article in a section entitled "Also watch out for" in which the author states: "[The] massive and welcome [Open Source Vulnerability Database] project was initially undertaken by a group of security specialists about two years ago. Unlike MITRE's CVE, which is only intended to provide a unique identifier for every new exploit, the OSVD includes a lot of details regarding all the included vulnerabilities."

April 2004

Date: 4/2004
Publication: COTS-Based Software Systems - Third International Conference, ICCBSS 2004 Proceedings (Book)

Author: Springer-Verlag Lecture Notes in Computer Science
Publisher: Springer-Verlag

Excerpt or Summary:
A chapter of this publication entitled "Managing Vulnerabilities in Your Commercial-Off-The-Shelf (COTS) Systems Using and Industry Standards Effort (CVE)" was written by CVE Compatibility Lead Robert A. Martin.

Date: 4/2004
Publication: Proceedings of Software Quality Management XII - New Approaches to Software Quality (Book)

Author: D. Edgar-Nevill, M. Ross, and G. Staples (Editors)
Publisher: The British Computer Society

Excerpt or Summary:
A chapter of this publication, included in "Section 2Standards," is entitled "CVE and OVAL - International Security Standards That Are Making A Difference". It was written by Robert A. Martin, CVE Compatibility Lead and OVAL Team Member.

Date: 4/29/2004
Publication: Red Hat, Inc. Web Site

Byline: Red Hat, Inc.
Headline: "Security Takes Lead in Red Hat Enterprise Linux"

Excerpt or Summary:
CVE compatibility was included in this press release as one of three facets of Red Hat's "security roadmap." The press release states that "Since its availability in 2002, Red Hat Enterprise Linux has achieved important milestones in security standards," and includes CVE as item three: "In February 2004 Red Hat receives MITRE certification for Common Vulnerabilities and Exposures (CVE) compatibility for Security Advisories." The release also describes how Red Hat security advisories received a certificate of official CVE compatibility: "A second security accomplishment for Red Hat is the certification from MITRE for Common Vulnerabilities and Exposures (CVE) compatibility for Security Advisories. CVE aims to standardize the names for all publicly known vulnerabilities and security exposures to simplify security practices. Red Hat is the only Linux vendor [at this time] to be awarded this certification for security standards."

Date: 4/12/2004
Publication: Information Week Magazine

Byline: Jeffrey Hunker
Headline: "New Security Imperative: Demonstrating Results"

Excerpt or Summary:
CVE was included in this article about IT professionals proving the value of their information security efforts in measurable ways. CVE is mentioned by the author in a discussion of how cyber security has been viewed by boards of directors and senior non-IT managers as ". . . one of the "black arts"; it's been the province not of mere mortals but of highly trained specialists who can converse in the arcane language of DES, SSL, and CVE (Common Vulnerabilities and Exposures)."

Date: 4/12/2004
Publication: eWeek Magazine

Byline: Dennis Fisher
Headline: "Security Flaws Database Goes Live"

Excerpt or Summary:
CVE was mentioned in this article about the recent launch of the free Open Source Vulnerability Database (OSVDB) that is meant to "serve as a central collection point [and resource] for information on any and all security vulnerabilities." CVE is mentioned at the end of the article when the author states that "[OSVDB] is hoping to begin comparing its database with other similar stores, including the Common Vulnerabilities and Exposures project maintained by The MITRE Corp., so that it can reference [CVE names] wherever they're applicable. The CVE project assigns unique [names] to each new vulnerability and publishes a one-line description of the problem."

In addition, OSVDB also recently declared that its Open Source Vulnerability Database will be CVE-compatible. Refer to the CVE-Compatible Products and Services page for additional information.

Date: 4/6/2004
Publication: Debian Weekly News

Byline: Debian News Channel
Headline: "Debian Security Advisories are CVE-Compatible"

Excerpt or Summary:
This article references the press release by Software in the Public Interest, Inc. announcing that "Debian Security Advisories [are officially] CVE-compatible. The Debian project announced that Debian Security Advisories have been declared CVE-compatible at the RSA Conference 2004, in San Francisco, February 24th, 2004. The project also believes that it is extremely important to provide users with additional information related to security issues that affect the Debian distribution." The article included a link to the original press release and a link to the Debian and CVE Compatibility page on the Debian Web site.

Date: 4/2/2004
Publication: Government Computer News

Byline: William Jackson
Headline: "New vulnerability database offers free security data"

Excerpt or Summary:
CVE was mentioned in this article about the launch of the free Open Source Vulnerability Database (OSVDB). CVE is mentioned at the end of the article when the author states: "OSVDB complements the work of other projects and databases, such as the Common Vulnerabilities and Exposures lexicon. CVE, developed and hosted by MITRE Corp. of Bedford, Mass., at cve.mitre.org, is a dictionary of vulnerabilities rather than a database. Its goal is to provide the IT security community with a common language for discussing and responding to vulnerabilities." The author continues: "There are other vulnerability databases that rely on the CVE, which Kouns says is an 'incredible resource. But CVE is conservative in some ways.' Kouns hopes OSVDB eventually will be more inclusive than other databases. OSVDB does not use CVE taxonomy, and its identifiers for unique vulnerabilities apply only within its own database."

OSVDB also recently declared that its Open Source Vulnerability Database will be CVE-compatible. Refer to the CVE-Compatible Products and Services page for additional information.

Date: 4/1/2004
Publication: Network Computing Magazine

Byline: Greg Shipley
Headline: "Painless (Well, Almost) Patch Management Procedures"

Excerpt or Summary:
The main topic of the article was implementing patch management techniques. CVE names were used in a chart in the article illustrating the shrinking interval between "a vulnerability's discovery and the creation of exploit code," which is "shrinking and narrowing the wiggle room organizations have to get their patching done." The chart, entitled "Shrinking Time Lines or Increasing Urgency?," listed 18 CVE names.

March 2004

Date: 3/30/2004
Publication: Debian Web site

Byline: Software in the Public Interest, Inc.
Headline: "Debian Security Advisories are CVE-Compatible"

Excerpt or Summary:
CVE compatibility was the main topic of this March 30, 2004 press release by Software in the Public Interest, Inc. (SPI). In the release SPI announces that the "Debian Security Advisories (DSA) [were] declared CVE-compatible at the RSA Conference 2004, in San Francisco, February 24th, 2004" during an awards ceremony held at the conference. The release also describes how "The Debian project has added CVE names to all advisories released since September 1998 through a review process started on August 2002. All advisories can be retrieved from the Debian Web site, and announcements related to new vulnerabilities include CVE names if available at the time of their release. Advisories associated with a given CVE name can be searched directly through the [Debian Web site] search engine. Moreover, Debian provides a complete cross-reference table, including all references available for advisories published since 1997. This table is provided to complement the reference map available at CVE."

The release concludes with the following: "Debian developers understand the need to provide accurate and up to date information of the security status of the Debian distribution, allowing users to manage the risk associated with new security vulnerabilities. CVE names enable the project to provide standardised references to all publicly known vulnerabilities and security exposures which allow users to develop a CVE-enabled security management process."

Date: 3/30/2004
Publication: eWeek Magazine

Byline: Steven J. Vaughan-Nichols
Headline: "Linux vs. Windows: Which Is More Secure?"

Excerpt or Summary:
CVE was the underpinning for a Forrester Research study that compared Linux versus Windows in terms of how quickly they fixed security vulnerabilities. This article discusses that study, which would not have been feasible without CVE. It is the first time CVE has been used to support such a large-scale, quantitative analysis. The authors used the National Institute of Standards and Technology's (NIST) ICAT database—which NIST describes as a "CVE Vulnerability Search Engine"—to perform the comparison and to normalize their results. The study is available for purchase on the Forrester Web site.

NIST is a member of the CVE Editorial Board and ICAT is listed on the CVE-Compatible Products and Services page.

Date: 3/11/2004
Publication: eWeek.com

Byline: Larry Seltzer
Headline: "Integer Overflows Add Up to Real Security Problems"

Excerpt or Summary:
A description from a CVE name was used in this article to describe the vulnerability that was the main topic of the article: "As explained in the CVE (Common Vulnerability and Exposure) [name for] the bug: an "Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious Web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack." The article also included a link to CAN-2003-0010 on the CVE Web site.

February 2004

Date: 2/26/2004
Publication: Harris Corporation Web Site

Headline: "Press Release: Harris Corporation's STAT Scanner Product Formally Recognized for Common Vulnerabilities Exposure Compatibility"

Excerpt or Summary:
CVE compatibility was the main topic of this press release in which Harris announces that it "has been formally recognized for Common Vulnerabilities Exposure (CVE) compatibility for [its] STAT Scanner network vulnerability assessment product. The recognition award, presented to Harris this week during the 13th Annual RSA conference in San Francisco, recognizes security products that have incorporated MITRE's CVE listings into their vulnerability search databases."

Also included in the release is a quote by John Payton, Incident Response Manager, National Computer Emergency Readiness Team (US-CERT), Department of Homeland Security, who presented the awards: "This group comes from a pool of nearly 100 organizations that are pursuing CVE compatibility," said Mr. Payton. "We congratulate these recipients, and look forward to seeing more organizations and their products qualify for inclusion in this select group." Harris was one of 10 companies receiving the certificates at the event.

Harris Corporation and STAT Scanner are listed on the CVE-Compatible Products and Services.

Date: 2/25/2004
Publication: Foundstone, Inc. Web Site

Headline: "Press Release: Foundstone Enterprise Risk Solutions Software Awarded Certificate of Compatibility for Full CVE Compliance"

Excerpt or Summary:
CVE compatibility was the main topic this press release in which Foundstone announces that its "Foundstone Enterprise Risk Solutions (ERS) vulnerability management software has been named fully compliant with the Common Vulnerabilities and Exposure (CVE) Initiative by The MITRE Corp. The company received its Certificate of Compatibility during an awards ceremony at the 13th Annual RSA Conference in San Francisco."

Also included in the release is a quote by Dave Cole, vice president of product management for Foundstone, who states: "The CVE Initiative was designed to provide security vendors and end-users alike a common language to discover and manage vulnerabilities across diverse security products. By achieving full CVE compatibility, Foundstone has demonstrated its commitment to standards and to ensuring customers have reliable and accurate security data that is interoperable with other security devices, software and services."

Foundstone, Inc. and Foundstone Enterprise Risk Solutions are listed on the CVE-Compatible Products and Services.

Date: 2/24/2004
Publication: Sunbelt Software Web Site

Headline: "Sunbelt Software Announces New Security Vulnerability Scanner"

Excerpt or Summary:
CVE was mentioned in this press release by Sunbelt Software: "SNSI uses the latest MITRE Common Vulnerabilities and Exposures (CVE) list of computer vulnerabilities and contains the latest SANS/FBI top 20 vulnerability list. It also uses the latest CERT, CIAC and FedCIRC (Department of Homeland Security) advisories." Sunbelt Software is listed on the CVE-Compatible Products and Services.

Date: 2/24/2004
Publication: Qualys, Inc. Web Site

Headline: "Media Advisory"

Excerpt or Summary:
CVE compatibility was the main topic of a media advisory by Qualys, Inc. in which Qualys announces that Certificates of CVE Compatibility were presented during an awards ceremony at the 13th Annual RSA Conference in San Francisco, and that the certificates were presented by John Payton, Incident Response Manager for the National Computer Emergency Readiness Team (US-CERT), Department of Homeland Security.

The advisory also lists the 10 organizations and 14 information security products and services that achieved the final phase of MITRE's formal compatibility process and are now officially "CVE-compatible." Qualys received certificates for four products: QualysGuard Enterprise, QualysGuard Consultant, QualysGuard Express, and QualysGuard MSP. Qualys, Inc. and these four products are listed on the CVE-Compatible Products and Services.

Date: 2/9/2004
Publication: eWeek Magazine

Byline: Jim Rapoza
Headline: "PredatorWatch Minds the Store"

Excerpt or Summary:
CVE was mentioned briefly in this product review of PredatorWatch Auditor 2.1. In the article, the author states: "For detecting vulnerabilities, PredatorWatch Auditor 2.1 uses the Common Vulnerabilities and Exposures defined by [MITRE Corporation's CVE project]."

PredatorWatch, Inc. and PredatorWatch Auditor are listed on the CVE-Compatible Products and Services.

Date: 2/3/2004
Publication: Breakwater Security Web Site

Headline: "Breakwater launches B-Secure Active Vulnerability Management solution to enable proactive network security"

Excerpt or Summary:
CVE was mentioned in this press release by Breakwater Security Associates: "AVM adheres to the standard SANS Top 20 list of critical vulnerabilities and supports the CVE (Common Vulnerabilities and Exposures) naming standard."

January 2004

Date: 1/30/2004
Publication: Syhunt Web site

Byline: Syhunt, Inf. Ltd.
Headline: "TrustSight Security Scanner Declared CVE-Compatible "

Excerpt or Summary:
Syhunt released this press release in January announcing that its TrustSight Security Scanner will be CVE-compatible. The release states: "Syhunt is one of the few companies in Brazil that have declared support for the CVE vulnerability naming standard, and the company maintains the security database that keeps vulnerabilities from being exposed. The company's vulnerability assessment technology, now called TrustSight, is a leading technology in the field of web application security and network security." The release further quotes Syhunt chairman Felipe Moniz de Aragao stating that Syhunt is pleased to support MITRE on the CVE Initiative to standardize vulnerability identification: "CVE enhances our security database," Moniz says, "and helps Syhunt defend our customers from exposure to vulnerabilities." The release concludes with a description of CVE compatibility and a link to the CVE Web site.

Date: 1/9/2004
Publication: InfoWorld Magazine

Byline: Wayne Rash
Headline: "Special Publication 800-61, Computer Security Incident Handling Guide"

Excerpt or Summary:
CVE was included about checking your operating system (OS) for vulnerabilities. In the article, the author notes that vulnerabilities exists in most all OSs and provides a brief list of some of the more common ones for each. The author also states that while the OS vendors are responsible for offering fixes for vulnerabilities, users also bear some responsibility: "Many serious OS vulnerabilities are the result of poor management, lax administration, or poor configuration. These problems exist for Windows, and they exist for Unix and Linux as well as other operating systems. In addition, some significant vulnerabilities exist in applications that run on top of these operating systems."

CVE is mentioned in the third paragraph, prefacing the brief list of vulnerabilities the author includes in the article: "The following items come from the list available at sans.org and the MITRE Corporation Common Vulnerabilities and Exposures [dictionary]. Both of these sources include information about determining whether or not you're affected by the vulnerabilities." The article also includes is a link to the CVE Web site.

Date: 1/5/2004
Publication: Network Magazine

Byline: Christopher M. King
Headline: "SEM: Navigating the Seas of Security Event Data"

Excerpt or Summary:
CVE was referred to as a standard for vulnerability names in this article about security event management technologies and products. In a section entitled "Standard Bearers," the author states: "As for identifying vulnerabilities and exposures, MITRE's (www.mitre.org) Common Vulnerabilities and Exposures (CVE) dictionary contains standard names and descriptions of vulnerabilities and exposures."

Of the 19 products discussed in the article, 10 are listed on the CVE-Compatible Products and Services page. This includes five of nine products specifically from security software companies. The 10 organizations and products/services listed in the CVE-Compatible Products and Services section are: IBM's Tivoli Risk Manager, NetIQ's Security Manager, Symantec's Incident Manager, ISS's SiteProtector, Intellitactics's Network Security Manager, netForensics's Security Information Management solution, TruSecure, Symantec's Riptech, and Ubizen.

Date: 1/5/2004
Publication: Help Net Security Web Site

Headline: "TrustSight Security Scanner Declared CVE-Compatible"

Excerpt or Summary:
CVE and CVE compatibility were mentioned in the title and throughout this article about Syhunt Inf. Ltd.'s, TrustSight Security Scanner, including in the subtitle, which reads: "Compatibility Enables Syhunt Customers To Intelligently Analyze, Cross Reference and Search Vulnerabilities". The article describes CVE, the CVE Editorial Board, the number of unique and standardized CVE names currently available on the site, and provides a url to the CVE Web site.

The article also quotes CVE Compatibility Lead Robert A. Martin, who states: "[CVE] now includes over 6,400 uniquely named vulnerabilities and more than 200 organizations incorporating CVE names into almost 300 information security products and services. [CVE and CVE compatibility are] making it possible for developers, security practitioners, and systems owners to transform their security practices and make enterprise management of information security vulnerabilities less of an art and more of an engineered practice."

Syhunt, Inf. Ltd. and TrustSight Security Scanner are listed on the CVE-Compatible Products and Services page.

Date: 1/2004
Publication: National Institute of Standards and Technology (NIST)

Byline: Tim Grance, Karen Kent, and Brian Kim
Headline: "What, me vulnerable? Check your OS for surprises"

Excerpt or Summary:
CVE was included in this report in the "Vulnerability and Exploit Resources" section of Appendix G—Online Tools and Resources. Also included was a link to the CVE Web site.

 
Page Last Updated: May 06, 2009