SEI Insights

Category: Vulnerability Analysis

 The Risks of Google Sign-In on iOS Devices

By on

The Google Identity Platform is a system that allows you to sign in to applications and other services by using your Google account. Google Sign-In is one such method for providing your identity to the Google Identity Platform. Google Sign-In...

 Visualizing CERT BFF String Minimization

By on

I've been working on a presentation called CERT BFF - From Start to PoC. In the process of preparing my material, I realized that a visualization could help people understand what happens during the BFF string minimization process....

 Situational Analysis, Software Architecture, Insider Threat, Threat Modeling, and Honeynets: The Latest Research from the SEI

By on

As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports, white papers, webinars, and podcasts. These publications highlight the latest work of...

 Vehicle Cybersecurity: The Jeep Hack and Beyond

By on

This blog post was co-authored by Dan Klinedinst. Automobiles are often referred to as "computers on wheels" with newer models containing more than 100 million lines of code. All this code provides features such as forward collision warning systems and...

 When Is a Vulnerability a Safety Issue?

By on

As you may have read in a previous post, the CERT/CC has been actively researching vulnerabilities in the connected vehicles. When we began our research, it became clear that in the realm of cyber-physical systems, safety is king. For regulators,...

 10 At-Risk Emerging Technologies

By on

In today's increasingly interconnected world, the information security community must be prepared to address vulnerabilities that may arise from new technologies. Understanding trends in emerging technologies can help information security professionals, leaders of organizations, and others interested in information security...

 Vulnerability IDs, Fast and Slow

By on

The CERT/CC Vulnerability Analysis team has been engaged in a number of community-based efforts surrounding Coordinated Vulnerability Disclosure lately. I've written previously about our involvement in the NTIA Multistakeholder Process for Cybersecurity Vulnerabilities. Today I'll highlight our ongoing work in...

 How to Win Friends and Coordinate a Vulnerability

By on

The CERT/CC Vulnerability Analysis team for nearly 30 years now has provided assistance for coordinated vulnerability disclosure (CVD). In a nutshell, we help security researchers communicate with software vendors to resolve security issues, and we get that information in the...

 E Pluribus, Que? Identifying Vulnerability Disclosure Stakeholders

By on

On September 29, Art Manion and I attended the first meeting of the Multistakeholder Process for Cybersecurity Vulnerabilities initiated by the National Telecommunications and Information Administration (NTIA), part of the United States Department of Commerce. There has been ample coverage...

 CVSS and the Internet of Things

By on

There has been a lot of press recently about security in Internet of Things (IoT) devices and other non-traditional computing environments. Many of the most talked about presentations at this year's Black Hat and DefCon events were about hacking IoT...

 Recent Conference Presentations by the Vulnerability Analysis Team

By on

A number of us on the Vulnerability Analysis team have been out and about giving talks at various conferences recently. This post provides links to the presentation slides, related blog posts, and the videos where available....

 Comments on BIS Wassenaar Proposed Rule

By on

Art Manion and I recently submitted comments to the Department of Commerce Bureau of Industry and Security on their proposed rule regarding Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items. While our detailed comments are lengthy, we summarize...

 Like Nailing Jelly to the Wall: Difficulties in Defining "Zero-Day Exploit"

By on

During the Watergate hearings, Senator Howard Baker asked John Dean a now-famous question: "My primary thesis is still: What did the president know, and when did he know it?" If you understand why that question was important, you have some...

 Top 10 CERT/CC Blog Posts on Vulnerabilities and SSL Tools

By on

In 2014, approximately 1 billion records of personably identifiable information were compromised as a result of cybersecurity vulnerabilities. In the face of this onslaught of compromises, it is important to examine fundamental insecurities that CERT researchers have identified and that...

 The Risks of SSL Inspection

By on

Recently, SuperFish and PrivDog have received some attention because of the risks that they both introduced to customers because of implementation flaws. Looking closer into these types of applications with my trusty CERT Tapioca VM at hand, I've come to...

  What's Different About Vulnerability Analysis and Discovery in Emerging Networked Systems?

By on

Hi folks, Allen Householder here. In my previous post, I introduced our recent work in surveying vulnerability discovery for emerging networked systems (ENS). In this post, I continue with our findings from this effort and look at the differences between...

 Vulnerability Coordination and Concurrency Modeling

By on

Hi, it's Allen. In addition to building fuzzers to find vulnerabilities (and thinking about adding some concurrency features to BFF in the process), I've been doing some work in the area of cybersecurity information sharing and the ways it can...

 Vulnerability Discovery for Emerging Networked Systems

By on

Hi folks, Allen Householder here. I want to introduce some recent work we're undertaking to look at vulnerability discovery for emerging networked systems (including cyberphysical systems like home automation, networked cars, industrial control systems and the like). In this post...

 Heartbleed: Q&A

By on

The Heartbleed bug, a serious vulnerability in the Open SSL crytographic software library, enables attackers to steal information that, under normal conditions, is protected by the Secure Socket Layer/Transport Layer Security(SSL/TLS) encryption used to secure the internet. Heartbleed and its...

 Secure Coding to Prevent Vulnerabilities

By on

Software developers produce more than 100 billion lines of code for commercial systems each year. Even with automated testing tools, errors still occur at a rate of one error for every 10,000 lines of code. While many coding standards address...

 A New Approach to Cyber Incident Response

By on

According to a report issued by the Government Accountability Office (GAO) in February 2013, the number of cybersecurity incidents reported that could impact "federal and military operations; critical infrastructure; and the confidentiality, integrity, and availability of sensitive government, private sector,...

 Taking Control of Linux Exploit Mitigations

By on

Hey, it's Will. In my last two blog entries, I looked at aspects of two exploit mitigations (NX and ASLR) on the Linux platform. With both cases, Linux left a bit to be desired. In this post, I will explain...

 Differences Between ASLR on Windows and Linux

By on

Hi folks, it's Will again. In my last blog entry, I discussed a behavior of NX on the Linux platform. Given that NX (or DEP as it's known on the Windows platform) and Address Space Layout Randomization (ASLR) work hand-in-hand,...

 Feeling Insecure? Blame Your Parent!

By on

Hey, it's Will. I was recently working on a proof of concept (PoC) exploit using nothing but the CERT BFF on Linux. Most of my experience with writing a PoC has been on Windows, so I figured it would be...

 Hacking the CERT FOE

By on

Hey folks, it's Will. Every now and then I encounter an app that doesn't play well with FOE. You don't have to throw your hands up in defeat, though. Because FOE (and BFF) are written in Python, it's pretty easy...

 Prioritizing Malware Analysis

By on

Hi, this is Jose Morales, researcher in the CERT:CES team. In early 2012, a backdoor Trojan malware named Flame was discovered in the wild. When fully deployed, Flame proved very hard for malware researchers to analyze. In December of that...

 Analyzing Routing Tables

By on

Hi, Timur Snoke here with a description of maps I've developed that use Border Gateway Protocol routing tables to show the evolution of public-facing autonomous system numbers. Organizations that route public internet protocol (IP) addresses receive autonomous system numbers (ASNs),...

 BFF 2.7 on OS X Mavericks

By on

Hi folks, it's Will. Apple has released OS X Mavericks. Because BFF 2.7 was released before Mavericks, BFF doesn't work right out of the box. But it's actually quite simple to get it working....

 Vulnerabilities and Attack Vectors

By on

Hi, this is Will Dormann of the CERT Vulnerability Analysis team. One of the responsibilities of a vulnerability analyst is to investigate the attack vectors for potential vulnerabilities. If there isn't an attack vector, then a bug is just a...

 Attaching the Rocket to the Chainsaw - Behind the Scenes of BFF and FOE's Crash Recycler

By on

Hi folks, Allen Householder here. As Will Dormann's earlier post mentioned, we have recently released the CERT Basic Fuzzing Framework (BFF) v2.7 and the CERT Failure Observation Engine (FOE) v2.1. To me, one of the most interesting additions was the...

 Signed Java Applet Security Improvements

By on

Hi folks, it's Will Dormann. A few months ago I published a blog entry called Don't Sign that Applet! that outlined some concerns with Oracle's guidance that all Java applets should be signed. The problem is that with Java versions...

 One Weird Trick for Finding More Crashes

By on

Hi folks. It's Will Dormann from the CERT Vulnerability Analysis team. Today we're announcing the release of updates to both of our fuzzing tools, the CERT Basic Fuzzing Framework (BFF) version 2.7 and the CERT Failure Observation Engine (FOE) version...

 One Weird Trick for Finding More Crashes

By on

Hi folks. It's Will Dormann from the CERT Vulnerability Analysis team. Today we're announcing the release of updates to both of our fuzzing tools, the CERT Basic Fuzzing Framework (BFF) version 2.7 and the CERT Failure Observation Engine (FOE) version...

 Practical Math for Your Security Operations - Part 2 of 3

By on

Hi, this is Vijay Sarvepalli, Security Solutions Engineer in the CERT Division again. In my earlier blog post, I offered some ideas for applying set theory in your SOC (Security Operations Center). This time I introduce you to statistics, specifically...

 Mining Ubuntu for Interesting Fuzz Targets

By on

Hello, Jonathan Foote here. In this post I'll explain how to use information from databases in stock Ubuntu systems to gather the parameters needed to perform corpus distillation (gathering of seed inputs) and fuzzing against the installed default file type...

 Domains That Are Typos of Other Domains

By on

Hello, this is Jonathan Spring. I've been investigating the usage of domains that are typos of other domains. For example, foogle.com is a typo of google.com, and it's a common one since 'f' is next to 'g' on the standard...

 Tempering the Vulnerability Hype Cycle with CVSS

By on

Hi everyone, it's Todd Lewellen. Today, I want to discuss how quantitative vulnerability metrics, like the Common Vulnerability Scoring System (CVSS), can help to develop a more accurate understanding of a vulnerability's severity....

 Practical Math for Your Security Operations - Part 1 of 3

By on

Hi, this is Vijay Sarvepalli, Security Solutions Engineer in the CERT Division. Mathematics is part of your daily tasks if you're a security analyst. In this blog post series, I'll explore some practical uses of math in your SOC (Security...

 Forensics Software and Oracle Outside In

By on

Hi, it's Will. In this post I will discuss the risks of using forensics software to process untrusted data, as well as what can be done to mitigate those risks....

 The Risks of Microsoft Exchange Features that Use Oracle Outside In

By on

The WebReady and Data Loss Prevention (DLP) features in Microsoft Exchange greatly increase the attack surface of an Exchange server. Specifically, Exchange running on Windows Server 2003 is particularly easy to exploit. It's public knowledge that Microsoft Exchange uses Oracle...

 Keep Calm and Deploy EMET

By on

CVE-2013-1347, the Internet Explorer 8 CGenericElement object use-after-free vulnerability has gotten a lot of press lately because it was used in a "watering hole" attack against several sites....

 Don't Sign that Applet!

By on

Hi, it's Will. I've recently been looking into the state of signed Java applet security. This investigation was triggered by the Oracle blog post IMP: Your Java Applets and Web Start Applications Should Be Signed, which as the title implies,...

 Don't Sign that Applet!

By on

Hi, it's Will. I've recently been looking into the state of signed Java applet security. This investigation was triggered by the Oracle blog post IMP: Your Java Applets and Web Start Applications Should Be Signed, which as the title implies,...

 Watching Domains That Change DNS Servers Frequently

By on

Hello, this is Leigh Metcalf of the CERT Network Situational Awareness (NetSA) Team. Timur Snoke and I have discovered some interesting results in our continuing examination of the public Domain Name System (DNS). Our work has been focusing on domains...

 Java in Web Browser: Disable Now!

By on

Hi, it's Will and Art here. We've been telling people to disable Java for years. In fact, the first version of the Securing Your Web Browser document from 2006 provided clear recommendations for disabling Java in web browsers. However, after...

 Forking and Joining Python Coroutines to Collect Coverage Data

By on

In this post I'll explain how to expand on David Beazley's cobroadcast pattern by adding a join capability that can bring multiple forked coroutine paths back together. I'll apply this technique to create a modular Python script that uses gcov,...

 A Look Inside CERT Fuzzing Tools

By on

Hi, this is Allen Householder of the CERT Vulnerability Analysis team. If you've been following this blog for a while, you are probably familiar with our fuzzing tools: Dranzer, the CERT Basic Fuzzing Framework (BFF), and the CERT Failure Observation...

 Updates to CERT Fuzzing Tools (BFF 2.6 & FOE 2.0.1)

By on

Hi everybody. Allen Householder from the CERT Vulnerability Analysis team here, back with another installment of "What's new in CERT's fuzzing frameworks?" Today we're announcing the release of updates of both our fuzzing tools, the CERT Basic Fuzzing Framework (BFF)...

 Java 7 Attack Vectors, Oh My!

By on

While researching how to successfully mitigate the recent Java 7 vulnerability (VU#636312, CVE-2012-4681), we (and by "we" I mean "Will Dormann") found quite a mess. In the midst of discussion about exploit activity and the out-of-cycle update from Oracle, I'd...

 Java Security Manager Bypass Vulnerability

By on

Last Sunday, another major Java vulnerability (VU#636312) was reported. Until an official update is available, we strongly recommend disabling the Java 7 plug-in for web browsers. This vulnerability is bad news, at least for those of us trying to avoid...

 CERT Failure Observation Engine 2.0 Released

By on

Hi folks, Allen Householder from the CERT Vulnerability Analysis team here. Back in April, we released version 1.0 of the CERT Failure Observation Engine (FOE), our fuzzing framework for Windows. Today we're announcing the release of FOE version 2.0. (Here's...

 Vulnerability Data Archive

By on

With the hope that someone finds the data useful, we're publishing an archive of almost all of the non-sensitive vulnerability information in our vulnerability reports database....

 AMD Video Drivers Prevent the Use of the Most Secure Setting for Microsoft's Exploit Mitigation Experience Toolkit (EMET)

By on

Microsoft EMET is an effective way of preventing many vulnerabilities from being exploited; however, systems that use AMD or ATI video drivers do not support the feature that provides the highest amount of protection....

 CERT Basic Fuzzing Framework 2.5 Released

By on

Hi folks, Allen Householder here. In addition to the recent introduction of our new Failure Observation Engine (FOE) fuzzing framework for Windows and Linux Triage Tools, we have updated the CERT Basic Fuzzing Framework (BFF) to version 2.5. This post...

 CERT Linux Triage Tools 1.0 Released

By on

As part of the vulnerability discovery work at CERT, we have developed a GNU Debugger (GDB) extension called "exploitable" that classifies Linux application bugs by severity. Version 1.0 of the extension is available for public download here. This blog post...

 CERT Failure Observation Engine 1.0 Released

By on

In May 2010, CERT released the Basic Fuzzing Framework, a Linux-based file fuzzer. We released BFF with the intent to increase awareness and adoption of automated, negative software testing. An often-requested feature is that BFF support the Microsoft Windows platform....

 Vulnerability Severity Using CVSS

By on

If you analyze, manage, publish, or otherwise work with software vulnerabilities, hopefully you've come across the Common Vulnerability Scoring System (CVSS). I'm happy to announce that US-CERT Vulnerability Notes now provide CVSS metrics....

 CNAME flux

By on

Hello this is Jonathan Spring. Recently, Leigh Metcalf and I uncovered some interesting results in our continuing work on properties of the Domain Name System (DNS). Our work involves an unconventional use of CNAME (canonical name) records. Besides an IP...

 Signed Java and Cisco AnyConnect

By on

A few years ago, I published a blog entry called Signed Java Applet Security: Worse than ActiveX? In that entry, I explained the problems that arise when a vulnerability is discovered in a signed Java applet. Let's see how the...

 Effectiveness of Microsoft Office File Validation

By on

Microsoft recently released a component for Office called Office File Validation that is supposed to help protect against attacks using malformed files. Because I recently performed file fuzzing tests on Microsoft Office, I decided to test the effectiveness of Office...

 A Security Comparison: Microsoft Office vs. Oracle Openoffice

By on

Recently, Dan Kaminsky published a blog entry that compared the fuzzing resiliency of Microsoft Office and Oracle OpenOffice. This blog entry contains the results from a similar test that I performed in November 2010. Also included are some other aspects...

 Announcing the CERT Basic Fuzzing Framework 2.0

By on

Version 2.0 of the CERT Basic Fuzzing Framework (BFF) made its debut on Valentine's Day at the 2011 CERT Vendor Meeting in San Francisco. This new edition has a lot of cool features that we'll be describing in more detail...

 "Network Monitoring for Web-Based Threats" Released

By on

The CERT Network Situational Awareness (NetSA) team has published an SEI technical report on monitoring web-based threats. The report draws on related work such as OWASP but comes from a different point of view. While OWASP is focused on...

 Blog Reorganization

By on

Hi, folks. As you can see, we've changed the name of the Vulnerability Analysis Blog to the CERT/CC Blog. With this name change, we're expanding the focus of the blog to include content from other technical teams. The current RSS...

 CERT Basic Fuzzing Framework Update

By on

Hi, folks. We've recently updated the CERT® Basic Fuzzing Framework (BFF). The new BFF 1.1 contains new functionality and improves performance....

 Study of Malicious Domain Names: TLD Distribution

By on

Hello, folks. This post comes to you courtesy of Aaron Shelmire from the Network Situational Awareness team. Aaron writes: Recently the Network Situational Awareness team at CERT has been researching the characteristics of malicious network touchpoints. The findings of this...

 CERT Basic Fuzzing Framework

By on

Hi folks. I've been involved in a fuzzing effort at CERT. One of the ways that I've been able to discover vulnerabilities is through "dumb" or mutational fuzzing. We have developed a framework for performing automated dumb fuzzing. Today we...

 Top-10 Top Level and Second Level Domains Found in Malicious Software

By on

Hello folks. This post comes to you courtesy of Ed Stoner and Aaron Shelmire from the Network Situational Awareness group at CERT. They write: Recently there have been some statistics published on botnet Command & Control (C2) channels. These statistics...

 Plain Text Email in Outlook Express

By on

Reading email messages in plain text seems like a reasonable thing to do to improve the security of your email client. Plain text takes less processing than HTML, which should help minimize your attack surface, right? As it turns out,...

 Managing IPv6 - Part 2

By on

Past entries have addressed both securing and disabling IPv6. This entry describes ways that administrators can secure their networks and generate test cases to test those settings....

 Managing IPv6 - Part 1

By on

This entry is the first in a series about securely configuring the IPv6 protocol on selected operating systems. Although this entry focuses on how to disable IPv6, we are not recommending that everyone immediately disable IPv6. However, if critical parts...

 Internet Explorer Kill-Bits

By on

The Kill-Bit (or "killbit") is a Microsoft Windows registry value that prevents an ActiveX control from being used by Internet Explorer. More information is available in Microsoft KB article 240797. If a vulnerability is discovered in an ActiveX control or...

 Mitigating Slowloris

By on

Slowloris is a denial-of-service (DoS) tool that targets web servers. We have some suggestions about mitigation techniques and workarounds to protect your server. However, use caution if you implement any of these suggestions because they will likely have some unintended...

 Vulnerabilities and Attack Surface

By on

Two recent US-CERT Vulnerability Notes describe similar issues in the Adobe Reader and Foxit Reader PDF viewing applications. The vulnerabilities, that both applications failed to properly handle JPEG2000 (JPX) data streams, were discovered as part of our Vulnerability Discovery initiative....

 Release of Dranzer ActiveX Fuzzing Tool

By on

Hi, it's Will. As previously mentioned, we have been investigating and discovering ActiveX vulnerabilities over the past few years. Today we released the Dranzer tool that we have developed to test ActiveX controls. We've been using the Dranzer ActiveX fuzz...

 Bypassing Firewalls with IPv6 Tunnels

By on

Hello, it's Ryan. We've talked about IPv6 in blog entries and vulnerability notes before. But instead of focusing on IPv6 vulnerabilities, this blog entry will show how functional IPv6 tunneling protocols can be used to bypass IPv4-only firewalls and ACLs....

 Conficker.C: How Many Are There?

By on

Hello, Sid Faber from the Network Situational Awareness group at CERT. Like just about everyone else, we've been following the Conficker worm for a while and thought some updated stats on the Conficker.C variant might be useful....

 Windows Installer Application Resiliency

By on

Hi, it's Will again. Recently, I was investigating the effectiveness of the workarounds for the Adobe Reader JBIG2 vulnerability, and I encountered an unexpected situation. In certain situations, the application resiliency feature of Windows Installer can actually undo some of...

 Internet Explorer Vulnerability Attack Vectors

By on

Hey, it's Will. I noticed that several blogs, including Trend Micro and McAfee, have been talking about the recent attacks on the Internet Explorer 7 vulnerability that was fixed in MS09-002. An interesting thing about these exploits is the attack...

 Reference Implementations for Securing Your Web Browser Guidelines

By on

It's Will again, with the first blog entry of 2009. Our Securing Your Web Browser document describes how to make your web browser more secure, but applying all of the necessary changes can be a bit tedious. To make the...

 Recommendations to Vendors for Communicating Product Security Information

By on

Hi, this is Chad Dougherty of the Vulnerability Analysis team. One of the important roles that our team plays is coordinating vulnerability information among a broad range of vendors. Over the years, we have gained a considerable amount of experience...

 Filtering ICMPv6 Using Host-Based Firewalls

By on

Hey, it's Ryan. This blog entry contains some quick recommendations about filtering certain ICMPv6 types using two host-based firewalls--Linux ip6tables and Microsoft Vista's advfirewall. If you have suggestions or other ideas, let me know....

 Reported Vulnerability in CERT Secure Coding Standards Website

By on

Hi, it's Will. Recently, a blog author reported that the CERT® Secure Coding Standards website, which runs on Atlassian Confluence, contained a SQL injection vulnerability. After analyzing the report and discussing it with the Confluence vendor, we have concluded that...

 Ping Sweeping in IPv6

By on

Hello, its Ryan. We've noticed a misconception about IPv6 that is popular on the internet: that IPv6 addresses are hard to ping sweep because there are so many possible addresses. Ping sweeping can lead to port scanning, so this misconception...

 Carpet Bombing and Directory Poisoning

By on

Hey, it's Will. Earlier this year, details about "carpet bombing" attacks were released. Apple addressed the issue by prompting users before downloading files, but recent news indicates that Google Chrome, which is based on Apple's WebKit code, is also vulnerable...

 Safely Using Package Managers

By on

Hi, it's Ryan. Package managers partially automate the process of installing and removing software packages. Most package managers use cryptographic signatures to verify the integrity of packages. In the article Attacks on Package Managers, the authors describe how an attacker...

 ActiveX Vulnerability Discovery at the CERT/CC

By on

Hi, it's Will. Anybody who has been keeping an eye on the US-CERT Vulnerability Notes has probably noticed that I've published a lot of ActiveX vulnerabilities. So it should be no surprise to learn that we have been testing ActiveX...

 Signed Java Applet Security: Worse than ActiveX?

By on

Hi, it's Will again. ActiveX vulnerabilities seem to be getting a lot of attention lately. However, Java applets are also a concern. The classic understanding of a Java applet is that it runs in a sandbox in your web browser....

 Is Your Adobe Flash Player Updated?

By on

Hey, it's Will. As you may already be aware, there is active exploitation of a vulnerability in Adobe Flash. So, it's a good idea to make sure that you have the latest version of Flash Player, which, at the time...

 Who Has My Cookies?

By on

Hi, Ryan Giobbi from the Vulnerability Analysis team making this post. The CERT/CC has been tracking cross-site scripting vulnerabilities for a long time, and the actual vulnerabilities haven't changed much over the years. However, some technology that was developed to...

 The Dangers of Windows AutoRun

By on

Hi, this is Will Dormann of the CERT/CC Vulnerability Analysis team. A few months ago, reports of infected digital picture frames hit the media. I was curious about how the malicious code was being executed, so I began investigating the...

 Vulnerability Analysis at the CERT/CC

By on

Hi, this is Art Manion, the Vulnerability Analysis team lead at the CERT Coordination Center (CERT/CC). For our first blog entry, I'd like to briefly explain our efforts to reduce software vulnerabilities....