News & Events

Right-click and copy a URL to share an article. Send feedback about this page to cve@mitre.org.

Juniper Added as CVE Numbering Authority (CNA)

April 22, 2016 | Share this article

Juniper Networks, Inc. is now a CVE Numbering Authority (CNA) for Juniper issues only. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CNAs are the main method for requesting a CVE-ID number. The following 23 organizations currently participate as CNAs: Adobe; Apple; Attachmate; BlackBerry; CERT/CC; Cisco; Debian GNU/Linux; EMC; FreeBSD; Google; HP; IBM; ICS-CERT; JPCERT/CC; Juniper; Microsoft; MITRE (primary CNA); Mozilla; Oracle; Red Hat; Silicon Graphics; Symantec; and Ubuntu Linux.

For more information about requesting CVE-ID numbers from CNAs, visit the CVE Numbering Authorities page.

New CVE Editorial Board Member for US-CERT

April 22, 2016 | Share this article

Tom Millar of US-CERT has joined the CVE Editorial Board.

Read the full announcement and welcome message in the CVE Editorial Board email discussion list archive.

Two CVE Identifiers Cited in Numerous Security Advisories and News Media References about the "Badlock" Vulnerability

April 22, 2016 | Share this article

Two CVE Identifiers — CVE-2016-0128 and CVE-2016-2118 — are cited in numerous major advisories, posts, and news media references related to the "Badlock" vulnerability, including the following examples:

Other news articles may be found by searching on "CVE-2016-0128" and "CVE-2016-2118" using your preferred search engine. Also, the CVE Identifier pages https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0128 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2118 include lists of advisories used as references.

CVE Editorial Board Holds Teleconference Meeting

April 22, 2016 | Share this article

The CVE Editorial Board held a teleconference meeting on March 30, 2016. Read the meeting minutes.

CVE Mentioned in an Article about a Severe Cisco Firewall Vulnerability on ThreatPost

April 5, 2016 | Share this article

CVE is mentioned in an April 4, 2015 article entitled "Cisco 'High Severity' Flaw Lets Malware Bypass Firepower Firewall" on ThreatPost. The main topic of the article is that Cisco recently patched a "critical vulnerability found in its recently introduced line of FirePower firewall products. The vulnerability, according to Cisco, allows attackers to slip malware onto critical systems without detection. The flaw is also impacts Snort, an open source network-based intrusion detection system also owned by Cisco."

CVE is mentioned as follows: "Cisco alerted customers of the vulnerability (CVE-2016-1345) last week classifying it as "high severity". The networking firm has released software updates that address the vulnerability in Cisco Firepower System Software 5.4.0.7 and later, 5.4.1.6 and later and 6.0.1 and later."

In addition, Cisco is a CVE Numbering Authority (CNA), assigning CVE-IDs for Cisco issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-1345 to learn more about this issue.

CVE Mentioned in Article about an Apple OS X and iOS Zero-Day Vulnerability on Tech Times

April 5, 2016 | Share this article

CVE is mentioned in a March 28, 2016 article entitled "Zero-Day Vulnerability Bypasses Apple's Security Features To Compromise OS X And iOS Devices: Update Now" on Tech Times. The main topic of the article is that "A security analyst from SentinelOne unveiled a critical zero-day vulnerability that affects all versions of Apple's OS X and some iOS versions. By using the vulnerability, hackers can get full access of the affected device, making it easy to steal sensitive data and bypass the company's protection feature."

CVE is mentioned when the author states: "…SentinelOne reported back in January about a critical vulnerability in both the iOS and OS X codes, which permits local privilege escalation as well as a surprisingly easy bypassing of the SIP, sans kernel exploit. Codenamed CVE-2016-1757, the zero-day vulnerability is a Non-Memory Corruption bug. This means that it makes it easy for hackers to do a number of things, such as executing remote code (Remote Code Execution), running custom-made code on your device and even perform sandbox escapes."

In addition, Apple is a CVE Numbering Authority (CNA), assigning CVE-IDs for Apple issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-1757 to learn more about this issue.

CVE Mentioned in Article about Four Vulnerabilities Used in Ransomware Attacks on Dark Reading

April 5, 2016 | Share this article

CVE is mentioned throughout an in a March 22, 2016 article entitled "Here Are 4 Vulnerabilities Ransomware Attacks Are Exploiting Now" on Dark Reading. The main topic of the article is that "there's a common thread in the most recent ransomware attacks: they use four known Adobe Flash Player and Microsoft Silverlight software bugs that have patches available, according to new research published today."

CVE is first mentioned at the beginning of the article when the author states: "So if you haven't already patched recently revealed Flash flaws CVE-2015-7645, CVE-2015-8446, CVE-2015-8651, and Microsoft Silverlight's CVE-2016-0034, you'll "significantly" minimize your risk of getting hit by the latest in ransomware threats if you apply these updates, according to Recorded Future, which analyzed which vulns were being exploited most in ransomware attacks as of March 16."

CVE is mentioned a second time, when the author states: "The Angler, Neutrino, Magnitude, RIG, and Nuclear exploit kits spread the Flash CVE-2015-7645 exploit; Angler spreads Flash CVE-2015-8446; Angler and Neutrino spread Flash CVE-2015-8651; and Angler spreads Silverlight CVE-2016-0034, an exploit exposed in the Hacking Team breach. In addition to patching these four vulns, Recorded Future offers additional recommendations for thwarting ransomware attacks: set Flash to "click to play;" run browser ad-blockers to protect against malvertising-borne attacks; and perform regular backups, especially of shared files, which are often the target of ransomware attacks."

In addition, both Adobe and Microsoft are CVE Numbering Authorities (CNAs), with Adobe assigning CVE-IDs for Adobe issues and Microsoft assigning CVE-IDs for Microsoft issues. CNAs are major OS vendors, security researchers, and research organizations that assign newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2015-7645, CVE-2015-8446, CVE-2015-8651, and CVE-2016-0034 to learn more about these issues.

CVE Mentioned in Article about 49 Chrome Vulnerabilities on SC Magazine

April 5, 2016 | Share this article

CVE is mentioned throughout an in a March 28, 2016 article entitled "Google patches Chrome 49 vulnerabilities" on SC Magazine. The main topic of the article is that Google Inc. "released a patch on Thursday [March 24, 2016] for vulnerabilities affecting the latest version of Chrome for Windows, Mac, and Linux, including several high-risk issues."

The CVE-IDs cited in this article include the following: CVE-2016-1646, CVE-2016-1649, CVE-2016-1647, CVE-2016-1648, and CVE-2016-1650.

In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CVE Cited as Product Feature in Press Release for Threat Stack's Cloud Security Platform

April 5, 2016 | Share this article

CVE is cited as a product feature in a March 30, 2016 press release entitled "Threat Stack Announces Most Comprehensive Cloud Security Vulnerability Verification: Cloud Security Platform Provides Automated CVE Check Against Every Package Installed" by Threat Stack, Inc.

CVE is mentioned in a quote by Threat Stack's vice president of products and customer advocacy, Venkat Pothamsetty, who states: "Threat Stack wants to keep customers as current as possible on critical CVEs. The Threat Stack Cloud Security Platform compares every single CVE published to every package installed, cross-checks against all corresponding vendor advisories on those packages and pinpoints to the image ID on the affected servers. The extensive approach we take is resulting in the least false positive rate of CVEs in the industry."

CVE is also mentioned in the conclusion to press release, as follows: "By providing vulnerability management at the workload layer, Threat Stack gives customers the confidence they're managing CVEs efficiently, enabling them to focus on more high-priority security threats."

1 Product from Beijing Leadsec Technology Now Registered as Officially "CVE-Compatible"

April 5, 2016 | Share this article

cve compatible image

One additional information security product has achieved the final stage of MITRE's formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 151 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

Beijing Leadsec Technology Co., Ltd. - Leadsec Web Application Firewall (Leadsec WAF)

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

1 Product from Hillstone Networks Now Registered as Officially "CVE-Compatible"

April 5, 2016 | Share this article

cve compatible image

One additional information security product has achieved the final stage of MITRE's formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 151 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

Hillstone Networks - Intrusion Prevention System

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

CVE Mentioned in Article about Three Critical Vulnerabilities in Symantec Endpoint Protection on InfoWorld

March 22, 2016 | Share this article

CVE is mentioned in a March 21, 2016 article entitled "Symantec fixes high-risk flaws in Symantec Endpoint Protection" on InfoWorld. The main topic of the article is that Symantec Corporation "fixed three high-risk security vulnerabilities in Symantec Endpoint Protection last week, which serves as a reminder: Security software needs to be regularly patched, too."

All three vulnerabilities are identified by their CVE-ID numbers, as follows: "The cross-site request forgery flaw (CVE-2015-8152) and SQL injection bug (CVE-2015-8153) in the SEP Management Console can be exploited to give authorized users more elevated privileges than originally assigned. These vulnerabilities, if successfully exploited, make it easier for attackers because they no longer need to try to steal administrator-level credentials. They can intercept lower-level user credentials and bump up the privileges as needed." "The third flaw (CVE-2015-8154) was in the SysPlant.sys driver, which Symantec Endpoint Protection loads on Windows clients as part of Application and Device Control (ADC) component. The driver prevents untrusted code from running on Windows systems. If the vulnerability is successfully exploited, the attacker bypasses the ADC to execute malicious code on the system with the same privileges as the logged on user."

In addition, Symantec is a CVE Numbering Authority (CNA), assigning CVE-IDs for Symantec issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2015-8152, CVE-2015-8153, and CVE-2015-8154 to learn more about these issues.

CVE Mentioned in Article about a Linux Kernel Vulnerability in Android on eWeek

March 22, 2016 | Share this article

CVE is mentioned in a March 21, 2016 article entitled "Google Updates Android for Linux Kernel Flaw" on eWeek. The main topic of the article is that Google, Inc. issued an "unprecedented mid-month emergency patch update" for a Linux kernel vulnerability. The article also discusses the "Metaphor" exploit for the previously patched Android "Stagefright" vulnerability.

CVE is first mentioned when the author states: "Android Security Advisory 2016-03-18 is an out-of-band update for a privilege escalation vulnerability identified as CVE-2015-1805. As the CVE number implies, the vulnerability dates back to 2015 when it was first discovered in the upstream Linux kernel. While Google did not have a formal patch for the issue until March 18, Google's Verify Apps technology already was identifying and blocking apps that attempted to use the vulnerability. Verify Apps is a Google technology that works for both Google Play apps as well as apps installed from third-party sources as a scanning technology that looks for malicious components. Google noted in its security advisory that the CVE-2015-1805 was set to be included as a formal patch in a future Android update. That plan changed on March 15, when security firm Zimperium reported that it was aware of the CVE-2015-1805 vulnerability being used successfully to exploit a Nexus 5 device."

CVE is mentioned a second time, as follows: "Of note also is the fact that in the scheduled March 7 update, Google patched a high-severity issue identified as CVE-2016-0824 in the Stagefright media library. Google has patched the libstagefright (Stagefright) and Android media libraries multiple times since August 2015…" CVE is then mentioned a third time, when the author states: "In unrelated research, security firm NorthBit reported on March 18 that a Stagefright exploit it referred to as Metaphor is attacking Android. The Metaphor exploit makes use of a vulnerability identified as CVE-2015-3864, which Google patched in August 2015."

In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2015-1805, CVE-2016-0824, and CVE-2015-3864 to learn more about these issues.

CVE Mentioned in Article about Tripwire's "2016 Patch Management Study" on Dark Reading

March 10, 2016 | Share this article

CVE is mentioned in a March 8, 2016 article entitled "Patch Management Still Plagues Enterprise" on Dark Reading. The main topic of the article is that "In spite of years of data showing effective patch management to be some of the lowest-hanging fruit in improving IT risk management, half of enterprises today still aren't getting it right. So says a new survey out today [by Tripwire, Inc.], which queried over 480 IT professionals on their patch management practices."

CVE is mentioned in a quote by Tim Erlin, Director, Product Management, Security and IT Risk Strategist at Tripwire, who states: "The fact is that we, as an industry, consistently conflate vulnerabilities with patches. They are not the same thing! The fact is, we identify known vulnerabilities with CVE IDs, and vendors release increments of code that address some of those CVE IDs. It’s not a one-to-one relationship, except when it is, and bundles are common, except from vendors who don't roll up patches. Sometimes patches don't fix all the vulnerabilities, and sometimes they fix multiple vulnerabilities on some platforms but not others. Sometimes a patch is an upgrade, sometimes it's not, and sometimes you can apply an individual patch or an upgrade to fix disparate but overlapping sets of vulnerabilities."

The "Tripwire 2016 Patch Management Study" findings are free to read at http://www.tripwire.com/company/research/tripwire-2016-patch-management-study/.

CVE Mentioned in Article about Three Critical Chrome Vulnerabilities on ThreatPost

March 10, 2016 | Share this article

CVE is mentioned in a March 9, 2016 article entitled "Chrome Update Fixes Three 'High' Severity Vulnerabilities" on ThreatPost. The main topic of the article is that "Google pushed out the latest version of its flagship browser Chrome on Tuesday, fixing three high severity bugs in the process."

CVE is mentioned when the author identifies the three vulnerabilities and notes their severity ratings as determined by Google: "High CVE-2016-1643: Type confusion in Blink"; "High CVE-2016-1644: Use-after-free in Blink"; and "High CVE-2016-1645: Out-of-bounds write in PDFium". All three were discovered by researchers who submitted them to Google's vulnerability reward program.

In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-1643, CVE-2016-1644, and CVE-2016-1645 to learn more about these issues.

CVE Mentioned in Article about Multiple Android Vulnerabilities on InfoWorld

March 10, 2016 | Share this article

CVE is mentioned in a March 8, 2016 article entitled "Google fixes Android bugs, including lingering Mediaserver flaw" on InfoWorld. The main topic of the article is that Google Inc. "addressed 19 security vulnerabilities, seven of them rated critical, in its latest Android security update. The updates addressed critical security vulnerabilities in the keyring component, MediaTek Wi-Fi Driver, Conscrypt, the libvpx library, Mediaserver component, and the Qualcomm Performance component."

The CVE-IDs cited in this article include the following: CVE-2016-0815, CVE-2016-0816, CVE-2016-0824, CVE-2016-0826, CVE-2016-0827, CVE-2016-0828, CVE-2016-0829, CVE-2016-1621, CVE-2016-0818, CVE-2016-0819, CVE-2016-0728, CVE-2016-0820, CVE-2016-0822, CVE-2016-0821, and CVE-2016-0823.

In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CVE Mentioned in Article about Microsoft's Patch Tuesday Fixes for March on ThreatPost

March 10, 2016 | Share this article

CVE is mentioned in a March 8, 2016 article entitled "Microsoft Patches Critical Vulnerabilities in its Browsers" on ThreatPost. The main topic of the article is that Microsoft Corporation recently released 13 security bulletins "including five rated critical and two rated important that could result in remote code execution attacks against compromised machines."

CVE is first mentioned with regard to the bulletin for the Microsoft Edge browser, as follows: "All 11 flaws are memory corruption vulnerabilities and five of those are also applicable to IE, Microsoft said. Edge also is vulnerable to an information disclosure vulnerability, CVE-2016-0125, enabled by Edge's improper handling of the referrer policy. An attacker could use this flaw to learn about the request context or browsing history of a user…"

CVE is mentioned a second time regarding a bulletin that patches “two flaws in Windows Graphic Fonts. A user would have to open a crafted document to exploit the flaw or view a website hosting maliciously crafted embedded OpenType fonts. Only one of the OpenType Font Parsing vulnerabilities, CVE-2016-0121, is rated critical and leads to remote code execution; the other, CVE-2016-0120, is a denial-of-service issue and is rated moderate…." CVE is mentioned a third time regarding a bulletin that patches “patches two flaws in Windows Media that can be exploited via malicious media content to gain remote code execution. Neither CVE-2106-0101, nor CVE-2016-0098, has been publicly attacked, Microsoft said, adding that the patch corrects the way Windows handles resources in the media library."

In addition, Microsoft is a CVE Numbering Authority (CNA), assigning CVE-IDs for Microsoft issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-0125, CVE-2016-0121, CVE-2016-0120, CVE-2016-0101, and CVE-2016-0098 to learn more about these issues.

CVE Mentioned in Article about Vulnerabilities in Adobe Acrobat and Reader on ThreatPost

March 10, 2016 | Share this article

CVE is mentioned in a March 8, 2016 article entitled "Adobe Patches Reader and Acrobat, Teases Upcoming Flash Update" on ThreatPost. The main topic of the article is that Adobe Systems Incorporated recently released "security updates for its PDF editing and viewing products, Acrobat and Reader, and its ereader for books called Adobe Digital Editions. And while the customary Flash update is missing from today's monthly rollout, Adobe said a new version of the software will be available "in the coming days."

CVE is mentioned when the author discusses Adobe patching three vulnerabilities in its Acrobat and Reader products: "Two of the patches (CVE-2016-1007 and CVE-2016-1009) address memory corruption vulnerabilities, while the third addresses a flaw in the directory search path (CVE-2016-1008). All three can be exploited to remotely execute code on compromised machines, Adobe said, adding that it was not aware of any public attacks against these bugs."

CVE is mentioned again regarding a vulnerability in Adobe Digital Editions, when the author states: "The patch specifically addresses a memory corruption issue (CVE-2016-0954); it has not been publicly attacked, Adobe said, adding that versions 4.5.0 and earlier are affected. Users are urged to update to 4.5.1."

In addition, Adobe is a CVE Numbering Authority (CNA), assigning CVE-IDs for Adobe issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-20161007, CVE-2016-1009, CVE-2016-1008, and CVE-2016-0094 to learn more about these issues.

CVE Mentioned in Article about the DROWN Vulnerability on Softpedia

March 2, 2016 | Share this article

CVE is mentioned in a March 1, 2016 article entitled "A Third of All HTTPS Websites Are Vulnerable to the DROWN Attack" on Softpedia.

CVE is mentioned when the author states: "The OpenSSL project has released versions 1.0.2g and 1.0.1s to address a high severity security issue known as the DROWN attack (CVE-2016-0800) which allows attackers to break HTTPS and steal encrypted information. DROWN stands for "Decrypting RSA using Obsolete and Weakened eNcryption" and … At its core, the principle behind the DROWN attack relies on the presence of both the SSLv2 and TLS protocols on target machines. DROWN is a cross-protocol attack, meaning it will use weaknesses in the SSLv2 implementation against TLS."

Visit CVE-2016-0800 to learn more about this issue.

CVE Identifier "CVE-2015-7547" Cited in Numerous Security Advisories and News Media References about a Severe Linux Vulnerability

February 18, 2016 | Share this article

"CVE-2015-7547" is cited in numerous major advisories, posts, and news media references related to a recent severe Linux stack-based buffer overflow vulnerability, including the following examples:

Other news articles may be found by searching on "CVE-2015-7547" using your preferred search engine. Also, the CVE Identifier page https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547 includes a list of advisories used as references.

CVE Mentioned in Article about HPE's Cyber Risk Report 2016 on IT World Canada

February 18, 2016 | Share this article

CVE is mentioned in a February 17, 2016 article entitled "Security industry has learned nothing from patching lapses: Report" on IT World Canada. CVE is mentioned as part of the main topic of this article, which is that Hewlett-Packard Enterprise's "HPE Security Research Cyber Risk Report 2016" states that the "most exploited bug in 2015 was a Windows Shell vulnerability (CVE-2010-2568) that was discovered along with a patch issued in 2010 — and patched again in early 2015."

Visit CVE-2010-2568 to learn more about this issue.

CVE Mentioned in Article about Vulnerabilities in VoIP Phones on Bank Info Security

February 18, 2016 | Share this article

CVE is mentioned throughout a February 15, 2016 article entitled "VoIP Phones: Eavesdropping Alert" on Bank Info Security. The main topic of the article is that "VoIP devices built by the likes of Cisco and Snom can be easily exploited with just a couple of lines of JavaScript … if they use the devices' default security settings. Once attackers compromise a device, they can monitor or reroute all calls, surreptitiously activate microphones built into the device to listen to what's being said locally, or upload malicious firmware, amongst other potential attacks."

CVE is mentioned when the author discusses how the "attack would also work against some Cisco VoIP devices. Cisco has confirmed a related vulnerability - CVE-2015-0670 - affects some Cisco Small Business IP phones, but so far has released no patches."

Visit CVE-2015-0670 to learn more about this issue.

CVE Mentioned in Article about a Vulnerability in a Teddy Bear on eWeek

February 4, 2016 | Share this article

CVE is mentioned in a February 2, 2016 article entitled "Fisher-Price Smart Teddy Bear Latest IoT Toy Under Hacker Scrutiny" on eWeek. The main topic of the article is that "When it comes to the emerging Internet of things world, security vulnerabilities can exist almost anywhere, including in a child's teddy bear. Security vendor Rapid7 … disclosed a vulnerability in the Fisher-Price Smart Toy, which could have enabled an attacker to gain access to user information. Rapid7 responsibly disclosed the flaw to Fisher-Price, and the toy vendor has already patched the issue."

CVE is mentioned as follows: "Fisher-Price did not properly secure the Web APIs it uses for the back end of the Smart Toy, potentially giving an attacker access to customer profile information, including name, birthday, gender, language and which toys have been registered. Going a step further … an attacker could have deleted or modified a child's profile. The core flaw, which is identified as CVE-2015-8269, is an improper authentication handling vulnerability. [This means that the] Web back end for the Smart Toy would let anyone attempting to access the site assert that they were any customer ID. Fisher-Price [has] fixed the remote security issues … [and since] … the disclosed issues are all remote, there is no need for end users to patch the local device."

Visit CVE-2015-8269 to learn more about this issue.

CVE Mentioned in Article about Multiple Android Vulnerabilities on InfoWorld

February 4, 2016 | Share this article

CVE is mentioned in a February 1, 2016 article entitled "Google fixes multiple Wi-Fi flaws, mediaserver bugs in Android" on InfoWorld. The main topic of the article is that "Google addressed multiple remote code execution and elevation of privilege vulnerabilities in its Android monthly security update for February. Along with the usual mediaserver suspects, the patches addressed multiple issues in several Wi-Fi components."

The CVE-IDs cited in this article include the following: CVE-2016-0803, CVE-2016-0804, CVE-2016-0810, CVE-2016-0811, CVE-2016-0801, CVE-2016-0802, CVE-2016-0806, CVE-2016-0809, CVE-2016-0805, CVE 2016-0807, CVE-2016-0808, CVE-2016-0812, and CVE-2016-0813.

In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CVE Mentioned in Article about Two OpenSSL Vulnerabilities on InfoWorld

February 4, 2016 | Share this article

CVE is mentioned throughout a January 28, 2016 article entitled "OpenSSL patches two vulnerabilities in cryptographic library" on InfoWorld.

CVE is first mentioned as follows: "The OpenSSL project team has patched two vulnerabilities in the cryptographic library and enhanced the strength of existing cryptography used by OpenSSL versions 1.0.1 and 1.0.2", one of which was a "high-priority bug addresses an issue in how some Diffie-Hellman parameters are generated in OpenSSL 1.0.2 (CVE 2016-0701)."

CVE is mentioned two more times in the article with regard to lower-priority bug fixes, as follows: "The other vulnerability, which affects both 1.0.1 and 1.0.2, can let a malicious client negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes (CVE 2015-3197)." "OpenSSL also enhanced the strength of the cryptography used to mitigate the Logjam downgrade vulnerability in TLS. Logjam (CVE 2015-4000) refers to the vulnerability in the TLS protocol that allows a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit cryptography. This meant that attackers could break and read any encrypted traffic."

Visit CVE-2016-0701, CVE-2015-3197, and CVE-2015-4000 to learn more about these issues.

CVE Mentioned in Article about Apple Issuing Its First OS X and iOS Security Updates for 2016 on eWeek

February 4, 2016 | Share this article

CVE is mentioned in a January 20, 2016 article entitled "Apple Issues First OS X, iOS Security Updates for 2016" on InfoWorld. The main topic of the article is that "Apple released its first security updates of 2016 on Jan. 19, with the debut of OS X 10.11.3 and IOS 9.2.1, which provides patches for multiple classes of vulnerabilities that could potentially enable attackers to exploit users and their devices."

The CVE-IDs cited in this article include the following: CVE-2016-1722, CVE-2016-1730, CVE-2016-1719, CVE-2016-1720, and CVE-2016-1721.

In addition, Apple is a CVE Numbering Authority (CNA), assigning CVE-IDs for Apple issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CVE Mentioned in Article about a Silverlight Zero-Day Vulnerability on ZDNet

February 4, 2016 | Share this article

CVE is mentioned in a January 13, 2016 article entitled "Kaspersky Lab discovers Silverlight zero-day vulnerability" on ZDNet. The main topic of the article is that "Kaspersky Lab has discovered a dangerous zero-day vulnerability in Silverlight, potentially placing millions of users at risk … the cybersecurity firm said the vulnerability would allow an attacker to gain full access to a compromised computer and execute malicious code to steal secret information, conduct surveillance and cause wholesale destruction if they so wished." CVE is mentioned as follows: "The vulnerability, CVE-2016-0034, was discovered after Ars Technica revealed an alleged link between exploit and surveillance tool seller…"

Visit CVE-2016-0034 to learn more about this issue.

CVE Mentioned in Article about Microsoft's Patch Tuesday Fixes for January on InfoWorld

January 14, 2016 | Share this article

CVE is mentioned in a January 13, 2016 article entitled "Microsoft fixes critical flaws in Windows, Office, Edge, IE, other products" on InfoWorld. The main topic of the article are the fixes included in Microsoft's Patch Tuesday for January: "Microsoft has released the first batch of security updates for 2016 and they include critical fixes for remote code execution flaws in Windows, Office, Edge, Internet Explorer, Silverlight and Visual Basic."

CVE is first mentioned when the author states: "In total, Microsoft issued 9 security bulletins covering patches for 24 vulnerabilities. According to Wolfgang Kandek, the CTO of security firm Qualys, administrators should prioritize the MS16-005 security bulletin, especially for systems running Windows Vista, 7 and Server 2008. This patch addresses a remote code execution vulnerability tracked as CVE-2016-0009 that has been publicly disclosed, making attacks more likely."

CVE is mentioned a second time, as follows: "The second most important bulletin, according to Qualys, is MS16-004, which addresses six vulnerabilities in Microsoft Office. This bulletin is rated critical, which has been unusual for Microsoft Office in the recent past. The culprit for this severity rating is one particular remote code execution vulnerability tracked as CVE-2016-0010 that's present in all versions of Office from 2007 to 2016, even those running on Mac and Windows RT…."

In addition, Microsoft is a CVE Numbering Authority (CNA), assigning CVE-IDs for Microsoft issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-0009 and CVE-2016-0010 to learn more about these issues.

CVE Is Main Topic of Numerous News Media Articles about Products with Most Vulnerabilities in 2015

January 12, 2016 | Share this article

CVE was the main topic of several news media articles about the number of CVE-IDs issued to different platforms in 2015. The "Top 50 Products By Total Number Of "Distinct" Vulnerabilities in 2015" list was published by CVE Details, which takes CVE vulnerability data from the U.S. National Vulnerability Database (NVD), which is itself based upon the CVE List, and presents it in "an easy to use web interface to CVE vulnerability data." CVE Details is listed in the CVE Compatibility Program.

Examples of the news media articles about the list include the following:

Review the list at http://www.cvedetails.com/top-50-products.php?year=2015. To review or research CVE vulnerability content, visit NVD and CVE.

 
Page Last Updated: April 22, 2016