Industry News Coverage
Below is a comprehensive monthly review of the news and other media's coverage of CVE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.
CVE Mentioned in Article about a Vulnerability in a Teddy Bear on eWeek
CVE is mentioned in a February 2, 2016 article entitled "Fisher-Price Smart Teddy Bear Latest IoT Toy Under Hacker Scrutiny" on eWeek. The main topic of the article is that "When it comes to the emerging Internet of things world, security vulnerabilities can exist almost anywhere, including in a child's teddy bear. Security vendor Rapid7 … disclosed a vulnerability in the Fisher-Price Smart Toy, which could have enabled an attacker to gain access to user information. Rapid7 responsibly disclosed the flaw to Fisher-Price, and the toy vendor has already patched the issue."
CVE is mentioned as follows: "Fisher-Price did not properly secure the Web APIs it uses for the back end of the Smart Toy, potentially giving an attacker access to customer profile information, including name, birthday, gender, language and which toys have been registered. Going a step further … an attacker could have deleted or modified a child's profile. The core flaw, which is identified as CVE-2015-8269, is an improper authentication handling vulnerability. [This means that the] Web back end for the Smart Toy would let anyone attempting to access the site assert that they were any customer ID. Fisher-Price [has] fixed the remote security issues … [and since] … the disclosed issues are all remote, there is no need for end users to patch the local device."
Visit CVE-2015-8269 to learn more about this issue.
CVE Mentioned in Article about Multiple Android Vulnerabilities on InfoWorld
CVE is mentioned in a February 1, 2016 article entitled "Google fixes multiple Wi-Fi flaws, mediaserver bugs in Android" on InfoWorld. The main topic of the article is that "Google addressed multiple remote code execution and elevation of privilege vulnerabilities in its Android monthly security update for February. Along with the usual mediaserver suspects, the patches addressed multiple issues in several Wi-Fi components."
The CVE-IDs cited in this article include the following: CVE-2016-0803, CVE-2016-0804, CVE-2016-0810, CVE-2016-0811, CVE-2016-0801, CVE-2016-0802, CVE-2016-0806, CVE-2016-0809, CVE-2016-0805, CVE 2016-0807, CVE-2016-0808, CVE-2016-0812, and CVE-2016-0813.
In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.
CVE Mentioned in Article about Two OpenSSL Vulnerabilities on InfoWorld
CVE is mentioned throughout a January 28, 2016 article entitled "OpenSSL patches two vulnerabilities in cryptographic library" on InfoWorld.
CVE is first mentioned as follows: "The OpenSSL project team has patched two vulnerabilities in the cryptographic library and enhanced the strength of existing cryptography used by OpenSSL versions 1.0.1 and 1.0.2", one of which was a "high-priority bug addresses an issue in how some Diffie-Hellman parameters are generated in OpenSSL 1.0.2 (CVE 2016-0701)."
CVE is mentioned two more times in the article with regard to lower-priority bug fixes, as follows: "The other vulnerability, which affects both 1.0.1 and 1.0.2, can let a malicious client negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes (CVE 2015-3197)." "OpenSSL also enhanced the strength of the cryptography used to mitigate the Logjam downgrade vulnerability in TLS. Logjam (CVE 2015-4000) refers to the vulnerability in the TLS protocol that allows a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit cryptography. This meant that attackers could break and read any encrypted traffic."
CVE Mentioned in Article about Apple Issuing Its First OS X and iOS Security Updates for 2016 on eWeek
CVE is mentioned in a January 20, 2016 article entitled "Apple Issues First OS X, iOS Security Updates for 2016" on InfoWorld. The main topic of the article is that "Apple released its first security updates of 2016 on Jan. 19, with the debut of OS X 10.11.3 and IOS 9.2.1, which provides patches for multiple classes of vulnerabilities that could potentially enable attackers to exploit users and their devices."
In addition, Apple is a CVE Numbering Authority (CNA), assigning CVE-IDs for Apple issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.
CVE Mentioned in Article about a Silverlight Zero-Day Vulnerability on ZDNet
CVE is mentioned in a January 13, 2016 article entitled "Kaspersky Lab discovers Silverlight zero-day vulnerability" on ZDNet. The main topic of the article is that "Kaspersky Lab has discovered a dangerous zero-day vulnerability in Silverlight, potentially placing millions of users at risk … the cybersecurity firm said the vulnerability would allow an attacker to gain full access to a compromised computer and execute malicious code to steal secret information, conduct surveillance and cause wholesale destruction if they so wished." CVE is mentioned as follows: "The vulnerability, CVE-2016-0034, was discovered after Ars Technica revealed an alleged link between exploit and surveillance tool seller…"
Visit CVE-2016-0034 to learn more about this issue.
CVE Mentioned in Article about Microsoft's Patch Tuesday Fixes for January on InfoWorld
CVE is mentioned in a January 13, 2016 article entitled "Microsoft fixes critical flaws in Windows, Office, Edge, IE, other products" on InfoWorld. The main topic of the article are the fixes included in Microsoft's Patch Tuesday for January: "Microsoft has released the first batch of security updates for 2016 and they include critical fixes for remote code execution flaws in Windows, Office, Edge, Internet Explorer, Silverlight and Visual Basic."
CVE is first mentioned when the author states: "In total, Microsoft issued 9 security bulletins covering patches for 24 vulnerabilities. According to Wolfgang Kandek, the CTO of security firm Qualys, administrators should prioritize the MS16-005 security bulletin, especially for systems running Windows Vista, 7 and Server 2008. This patch addresses a remote code execution vulnerability tracked as CVE-2016-0009 that has been publicly disclosed, making attacks more likely."
CVE is mentioned a second time, as follows: "The second most important bulletin, according to Qualys, is MS16-004, which addresses six vulnerabilities in Microsoft Office. This bulletin is rated critical, which has been unusual for Microsoft Office in the recent past. The culprit for this severity rating is one particular remote code execution vulnerability tracked as CVE-2016-0010 that's present in all versions of Office from 2007 to 2016, even those running on Mac and Windows RT…."
In addition, Microsoft is a CVE Numbering Authority (CNA), assigning CVE-IDs for Microsoft issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.
CVE Is Main Topic of Numerous News Media Articles about Products with Most Vulnerabilities in 2015
CVE was the main topic of several news media articles about the number of CVE-IDs issued to different platforms in 2015. The "Top 50 Products By Total Number Of "Distinct" Vulnerabilities in 2015" list was published by CVE Details, which takes CVE vulnerability data from the U.S. National Vulnerability Database (NVD), which is itself based upon the CVE List, and presents it in "an easy to use web interface to CVE vulnerability data." CVE Details is listed in the CVE Compatibility Program.
Examples of the news media articles about the list include the following:
Review the list at http://www.cvedetails.com/top-50-products.php?year=2015. To review or research CVE vulnerability content, visit NVD and CVE.