Industry News Coverage
Below is a comprehensive monthly review of the news and other media's coverage of CVE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.
TheRegister.com, February 26, 2015
CVE is mentioned in a February 26, 2015 article entitled "Firefox 36 swats bugs, adds HTTP2 and gets certifiably serious: Three big bads, six medium messes and 1024-bit certs all binned in one release" on The Register. CVE is mentioned when the author states: "Mozilla has outfoxed three critical and six high severity flaws in its latest round of patches for its flagship browser. It stomps out memory safety bugs, exploitable use-after-free crashes, and a buffer overflow. Of the critical crashes, bad guys could potentially craft attacks targeting MP4 video playback through a buffer overflow in the libstagefright library (CVE-2015-0829). Another potential exploitable crash that is unlikely to be a threat in email clients where scripting was disabled centres on a use-after-free flaw for specific web content with IndexedDB (CVE-2015-0831). The third are a bunch of memory bugs (CVE-2015-0836) (CVE-2015-0835) Mozilla and its fans found in the engine behind the company's products including Firefox browser that dedicated attackers could probably exploit, given enough coffee."
TheRegister.com, February 24, 2015
CVE is mentioned in a February 24, 2015 article entitled "Samb-AAAHH! Scary remote execution vuln spotted in Windows-Linux interop code" on The Register. CVE is mentioned at the outset of the article when the author states: "Linux admins were sent scrambling to patch their boxes on Monday after a critical vulnerability was revealed in Samba, the open source Linux-and-Windows-compatibility software. The bug, which has been designated CVE-2015-0240, lies in the smbd file server daemon. Samba versions 3.5.0 through 4.2.0rc4 are affected, the Samba Project said in a security alert. An attacker who successfully exploits the flaw could potentially execute code remotely with root privileges, the project's developers warned. Root access is automatic and no login or authentication is necessary."
Visit CVE-2015-0240 to learn more about this issue.
SCMagazine.com, February 23, 2015
CVE is mentioned in a February 23, 2015 article entitled "Older vulnerabilities a top enabler of breaches, according to report" on SC Magazine about the "HP Cyber Risk Report 2015". CVE is mentioned at the outset of the article when the author states: "Organizations are not properly patching their systems and networks, according to the HP Cyber Risk Report 2015, which took a look back at the threat landscape in 2014 and noted that 44 percent of known breaches were possible due to vulnerabilities identified years ago. Accounting for 33 percent of identified exploit samples in 2014 is CVE-2010-2568, a popular Microsoft Windows vulnerability that was used as one of the infection vectors for Stuxnet, Jewel Timpe, senior manager of threat research at HP Security Research, told SCMagazine.com on Monday." CVE is mentioned a second time when the author states: "The report shows that CVE-2010-0188, a vulnerability in Adobe Reader and Acrobat, accounted for 11 percent of exploit samples in 2014. Six Oracle Java bugs identified in 2012 and 2013 also made the top ten list, as well as two Microsoft Office flaws – one identified in 2009 and the other in 2012."
TechWorld.com.com, February 23, 2015
CVE-IDs are used throughout a February 23, 2015 article entitled "The top software exploit of 2014? The Stuxnet XP flaw from 2010, reckons HP" on TechWorld.com to uniquely identify the vulnerabilities discussed. CVE is mentioned at the very beginning of the article when the author states: "For cyber-attackers, the old flaws are still the best, according to HP's Cyber Risk Report 2014 and it has a startling piece of evidence to back up its claim – the most commonly exploited software vulnerability for last year was the infamous .lnk flaw in Windows XP made famous by Stuxnet in the distant summer of 2010. Designated CVE-2010-2568, this on its own accounted for a third of all exploits the firm detected being used against its customers, just ahead of the even older CVE-2010-0188, a flaw in Adobe's Reader and Acrobat, responsible for 11 percent of exploits." Other CVE-IDs discussed in the article include CVE-2009-3129 for a Microsoft Office issue; CVE-2014-0322 and CVE-2014-0307, both for Internet Explorer issues, and CVE-2013-4787 for the Android Master Key vulnerability. An illustrated chart is also included with the article listing 10 security flaws, each of which is identified by its CVE-ID number.
Techlicious.com, February 18, 2015
CVE is mentioned in a February 18, 2015 article entitled "The Best Mac Security Software" on Techlicious. CVE is mentioned when the author states: "Many Mac owners may be under the impression that their computers don't need antivirus protection. They're inherently safer, right? While there are fewer Trojan horses, viruses and worms designed to attack Macs than PCs, that doesn't mean they're immune to infection. … In fact, a serious threat to Macs was verified as recently as December 2014, according to the National Vulnerability Database. To combat this threat, Apple issued its first ever automatic security update for Mac computers in December. (Previously, Mac users would initiate the security updates themselves.) The bug, CVE-2014-9295, could enable hackers to gain remote control of machines through a vulnerability with the network time protocol, or NTP, which synchronizes a computer's clock. It was serious enough that Apple didn’t want to wait for users to fix it themselves, according to Reuters."
Visit CVE-2014-9295 to learn more about this issue.
AndroidHeadlines.com, February 18, 2015
CVE is mentioned in a February 18, 2015 article entitled "NowSecure Provides Fix For Serious Vulnerabilities Found In 80 Percent Of Samsung Devices Last Year" on Android Headlines. CVE is mentioned at the outset of the article, when the author states: "A major vulnerability, named "Corrupdate" because of the methods used to gain access to a pair of system applications from Samsung, has been announced; it affects nearly 80% of all Samsung Android devices including the Galaxy S5 and Note 4. The vulnerability was discovered by security researchers Ryan Welton and Jake Van Dyke of NowSecure. NowSecure, a mobile security vendor, reported the issues to Samsung and assisted with creating a patch for the affected devices. They also have confirmed that the patch that was created has appeared to work. This vulnerability affects The Samsung Account and Samsung GALAXY Applications or on some devices may be called Samsung Apps and Samsung Updates, and because they are system applications, they cannot be uninstalled. For those of you who track vulnerabilities, GALAXY Apps has been assigned CVE-2015-0863 and Samsung Account has been assigned CVE-2015-0864."
CVE Cited in News Media References and Posts about Google's Updated Vulnerability Disclosure Policy, February 13, 2015
CVE is included in Google Inc.'s refined Vulnerability Disclosure Policy, as described in a February 13, 2015 blog post entitled "Feedback and data-driven updates to Google's disclosure policy" on its Project Zero blog. CVE is mentioned as bullet 3 of 3 as improvements to the policy, as follows: "Assignment of CVEs. CVEs are an industry standard for uniquely identifying vulnerabilities. To avoid confusion, it's important that the first public mention of a vulnerability should include a CVE. For vulnerabilities that go past deadline, we'll ensure that a CVE has been pre-assigned."
Release of the updated policy also resulted in CVE being cited in numerous major news media references and posts, including the following examples:
CVE Identifier "CVE-2015-0313" Cited in Numerous Security Advisories and News Media References about a Zero-Day Adobe Flash Vulnerability, February 12, 2015
Other news articles may be found by searching on "CVE-2015-0313" using your preferred search engine. Also, the CVE Identifier page https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0313 includes a list of advisories used as references.
CVE Identifier "CVE-2015-0235" Cited in Numerous Security Advisories and News Media References about "Ghost" Vulnerability, January 30, 2015
"CVE-2015-0235" was cited in numerous major advisories, posts, and news media references related to the recent Ghost vulnerability, including the following examples:
Other news articles may be found by searching on "CVE-2015-0235" using your preferred search engine. Also, the CVE Identifier page https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 includes a list of advisories used as references.
Tripwire.com Website, January 20, 2015
CVE is mentioned in a January 20, 2014 article about responsible vulnerability disclosure entitled "Hacker halted… What is it?" on the Tripwire, Inc.'s State of Security blog. The article is a follow-up to a presentation by Tripwire's Vulnerability and Exposures Research Team at "Hacker Halted 2014" about the vulnerability disclosure process and the turnaround times for creating patches.
CVE is mentioned in a section of the article entitled "Responsible Disclosure," when the author states:
"There are a few steps to properly disclose a vulnerability to a vendor.
The author concludes the article as follows: "If we don't properly disclose vulnerabilities, we not only hurt ourselves but we hurt others. It's like driving home drunk — the moment you get into your vehicle you put your life, and others, at risk. While a vulnerability may not be as dire, we need to work together with the vendors to properly disclose and fix vulnerabilities."
TechWorld.com, January 5, 2015
CVE is mentioned in a January 5, 2015 article entitled "Think that software library is safe to use? Think again…" on TechWorld.com. The main topic of the article is that third-party software code libraries and components are not bug-free and that the "major patching efforts triggered by the Heartbleed, Shellshock and POODLE flaws last year highlight the effect of critical vulnerabilities in third-party code. The flaws affected software that runs on servers, desktop computers, mobile devices and hardware appliances, affecting millions of consumers and businesses."
CVE is first referenced as an example when the author states: "One example… is a vulnerability discovered in 2006… The flaw was among several that affected LibTIFF and were fixed in a new release at the time. It was tracked as CVE-2006-3459 in the Common Vulnerabilities and Exposures database." CVE is mentioned again in a quote about this example by Risk Based Security, Inc.'s Chief Research Officer, Carsten Eiram, who states: "In 2010, a vulnerability was fixed in Adobe Reader, which turned out to be one of the vulnerabilities covered by CVE-2006-3459. For four years, a vulnerable and outdated version of LibTIFF had been bundled with Adobe Reader, and it was even proven to be exploitable. Adobe Systems has since become one of the software vendors taking the threat of flaws in third-party components seriously. They've made major improvements to their process of tracking and addressing vulnerabilities in the third-party libraries and components used in their products."
Visit CVE-2006-3459 to learn more about the issue cited above. To learn about "Heartbleed" see CVE-2014-0160; for "Bash Shellshock" see CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278; and for "POODLE" see CVE-2014-3566.
CVE Identifier "CVE-2014-9295" Cited in Numerous Security Advisories and News Media References about the Apple/Linux Network Time Protocol Vulnerability, December 2014
"CVE-2014-9295" was cited in numerous major advisories, posts, and news media references related to the recent Network Time Protocol vulnerability affecting Apple and Linux operating systems, including the following examples:
Other news articles may be found by searching on "CVE-2014-9295" using your preferred search engine. Also, the CVE Identifier page https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295 includes a list of advisories used as references.
CVE Identifier "CVE-2014-9222" Cited in Numerous Security Advisories and News Media References about "Misfortune Cookie" Vulnerability, December 2014
"CVE-2014-9222" was cited in numerous major advisories, posts, and news media references related to the recent Misfortune Cookie vulnerability, including the following examples:
Other news articles may be found by searching on "CVE-2014-9222" using your preferred search engine. Also, the CVE Identifier page https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9222 includes a list of advisories used as references.
eWeek.com, December 20, 2014
"CVE-2014-9390" was cited in a December 20, 2014 article entitled "Git Vulnerability Exposed; Patch Now or Be Hacked Later" on eWeek.com. CVE is mentioned at the beginning of the article when the author states: "A new vulnerability has been reported and was patched on Dec. 18 in the widely used open-source Git source-code management system. The vulnerability has been identified as CVE-2014-9390 and impacts Git clients running on Windows and Mac OS X. Git is an open-source source-code management system used by developers on Linux, Windows and Mac OS X, and includes both a host server-side component as well as a local client on developer machines. Git is also the open-source technology behind the popular GitHub code repository. Linus Torvalds, best known as the creator of the open-source Linux operating system, developed Git. Somewhat ironically, the author of the rival Mercurial open-source version control system first discovered the CVE-2014-9390 issue, which also impacts Mercurial."
CVE is mentioned again when the author notes that patches are now available for the issue: "The fix for the CVE-2014-9390 vulnerability is now present in the new Git v2.2.1 release and has also been patched in Mercurial version 3.2.3. Although the issue only directly affects Windows and Mac OS X users, Linux users are also being advised to be cautious." CVE is mentioned for a third time at the end of the article, as follows: "Metasploit is often the first place where new exploits come for security researchers to be able to test vulnerabilities. It is likely that an exploit for CVE-2014-9390 will find its way into Metasploit at some point to be able to demonstrate the vulnerability."
Visit CVE-2014-9390 to learn more about this issue.
Infosecurity-Magazine.com, December 11, 2014
CVE is mentioned in a December 11, 2014 article entitled "ICS-CERT: BlackEnergy Attacks on Critical Infrastructure" on Infosecurity-Magazine.com. The main focus of the article is a "sophisticated malware campaign that has compromised numerous industrial control systems (ICS) environments using a variant of the BlackEnergy malware appears to be targeting internet-connected human-machine interfaces (HMIs). The BlackEnergy campaign has been ongoing since at least 2011, and the United States' ICS-CERT recently published information and technical indicators about it… "
CVE is mentioned when the author states: "Typical malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment. Analysis suggests that the actors likely used automated tools to discover and compromise vulnerable systems as an initial vector. For instance, the organization's analysis has identified that systems running GE's Cimplicity HMI with a direct connection to the internet are being targeted using an exploit for a vulnerability in GE's Cimplicity HMI product that has been known since at least January 2012. GE has patched the vulnerability, CVE-2014-0751, so users should update their systems immediately."
Visit CVE-2014-0751 to learn more about this issue.
eWeek.com, December 9, 2014
CVE is mentioned in a December 9, 2014 article entitled "Microsoft Fixes 24 Flaws in 2014's Last Patch Tuesday" on eWeek.com.
CVE is mentioned at the very beginning of the article when the author states: "Microsoft came out with its December Patch Tuesday update, marking the final set of regularly scheduled security updates for 2014. In total, Microsoft is fixing 24 unique Common Vulnerabilities and Exposures (CVEs) this month, across seven security advisories. Of those seven security advisories, Microsoft rated only three as critical. One of the critical advisories is MS14-080, which patches 14 CVEs in Microsoft's Internet Explorer (IE) Web browser. The December CVE count in IE is actually a decline from the 17 CVEs patched in November's Patch Tuesday update."
Visit the Microsoft Security Bulletin Summary for December 2014 for more information about these issues.