Industry News Coverage
Below is a comprehensive monthly review of the news and other media's coverage of CVE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.
TechWorld.com, January 5, 2015
CVE is mentioned in a January 5, 2015 article entitled "Think that software library is safe to use? Think again…" on TechWorld.com. The main topic of the article is that third-party software code libraries and components are not bug-free and that the "major patching efforts triggered by the Heartbleed, Shellshock and POODLE flaws last year highlight the effect of critical vulnerabilities in third-party code. The flaws affected software that runs on servers, desktop computers, mobile devices and hardware appliances, affecting millions of consumers and businesses."
CVE is first referenced as an example when the author states: "One example… is a vulnerability discovered in 2006… The flaw was among several that affected LibTIFF and were fixed in a new release at the time. It was tracked as CVE-2006-3459 in the Common Vulnerabilities and Exposures database." CVE is mentioned again in a quote about this example by Risk Based Security, Inc.'s Chief Research Officer, Carsten Eiram, who states: "In 2010, a vulnerability was fixed in Adobe Reader, which turned out to be one of the vulnerabilities covered by CVE-2006-3459. For four years, a vulnerable and outdated version of LibTIFF had been bundled with Adobe Reader, and it was even proven to be exploitable. Adobe Systems has since become one of the software vendors taking the threat of flaws in third-party components seriously. They've made major improvements to their process of tracking and addressing vulnerabilities in the third-party libraries and components used in their products."
Visit CVE-2006-3459 to learn more about the issue cited above. To learn about "Heartbleed" see CVE-2014-0160; for "Bash Shellshock" see CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278; and for "POODLE" see CVE-2014-3566.
CVE Identifier "CVE-2014-9295" Cited in Numerous Security Advisories and News Media References about the Apple/Linux Network Time Protocol Vulnerability, December 2014
"CVE-2014-9295" was cited in numerous major advisories, posts, and news media references related to the recent Network Time Protocol vulnerability affecting Apple and Linux operating systems, including the following examples:
Other news articles may be found by searching on "CVE-2014-9295" using your preferred search engine. Also, the CVE Identifier page https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295 includes a list of advisories used as references.
CVE Identifier "CVE-2014-9222" Cited in Numerous Security Advisories and News Media References about "Misfortune Cookie" Vulnerability, December 2014
"CVE-2014-9222" was cited in numerous major advisories, posts, and news media references related to the recent Misfortune Cookie vulnerability, including the following examples:
Other news articles may be found by searching on "CVE-2014-9222" using your preferred search engine. Also, the CVE Identifier page https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9222 includes a list of advisories used as references.
eWeek.com, December 20, 2014
"CVE-2014-9390" was cited in a December 20, 2014 article entitled "Git Vulnerability Exposed; Patch Now or Be Hacked Later" on eWeek.com. CVE is mentioned at the beginning of the article when the author states: "A new vulnerability has been reported and was patched on Dec. 18 in the widely used open-source Git source-code management system. The vulnerability has been identified as CVE-2014-9390 and impacts Git clients running on Windows and Mac OS X. Git is an open-source source-code management system used by developers on Linux, Windows and Mac OS X, and includes both a host server-side component as well as a local client on developer machines. Git is also the open-source technology behind the popular GitHub code repository. Linus Torvalds, best known as the creator of the open-source Linux operating system, developed Git. Somewhat ironically, the author of the rival Mercurial open-source version control system first discovered the CVE-2014-9390 issue, which also impacts Mercurial."
CVE is mentioned again when the author notes that patches are now available for the issue: "The fix for the CVE-2014-9390 vulnerability is now present in the new Git v2.2.1 release and has also been patched in Mercurial version 3.2.3. Although the issue only directly affects Windows and Mac OS X users, Linux users are also being advised to be cautious." CVE is mentioned for a third time at the end of the article, as follows: "Metasploit is often the first place where new exploits come for security researchers to be able to test vulnerabilities. It is likely that an exploit for CVE-2014-9390 will find its way into Metasploit at some point to be able to demonstrate the vulnerability."
Visit CVE-2014-9390 to learn more about this issue.
Infosecurity-Magazine.com, December 11, 2014
CVE is mentioned in a December 11, 2014 article entitled "ICS-CERT: BlackEnergy Attacks on Critical Infrastructure" on Infosecurity-Magazine.com. The main focus of the article is a "sophisticated malware campaign that has compromised numerous industrial control systems (ICS) environments using a variant of the BlackEnergy malware appears to be targeting internet-connected human-machine interfaces (HMIs). The BlackEnergy campaign has been ongoing since at least 2011, and the United States' ICS-CERT recently published information and technical indicators about it… "
CVE is mentioned when the author states: "Typical malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment. Analysis suggests that the actors likely used automated tools to discover and compromise vulnerable systems as an initial vector. For instance, the organization's analysis has identified that systems running GE's Cimplicity HMI with a direct connection to the internet are being targeted using an exploit for a vulnerability in GE's Cimplicity HMI product that has been known since at least January 2012. GE has patched the vulnerability, CVE-2014-0751, so users should update their systems immediately."
Visit CVE-2014-0751 to learn more about this issue.
eWeek.com, December 9, 2014
CVE is mentioned in a December 9, 2014 article entitled "Microsoft Fixes 24 Flaws in 2014's Last Patch Tuesday" on eWeek.com.
CVE is mentioned at the very beginning of the article when the author states: "Microsoft came out with its December Patch Tuesday update, marking the final set of regularly scheduled security updates for 2014. In total, Microsoft is fixing 24 unique Common Vulnerabilities and Exposures (CVEs) this month, across seven security advisories. Of those seven security advisories, Microsoft rated only three as critical. One of the critical advisories is MS14-080, which patches 14 CVEs in Microsoft's Internet Explorer (IE) Web browser. The December CVE count in IE is actually a decline from the 17 CVEs patched in November's Patch Tuesday update."
Visit the Microsoft Security Bulletin Summary for December 2014 for more information about these issues.