search menu icon-carat-right cmu-wordmark

Subject: Vulnerability Analysis

VPN - A Gateway for Vulnerabilities

VPN - A Gateway for Vulnerabilities

• CERT/CC Blog
Vijay Sarvepalli

Virtual Private Networks (VPNs) are the backbone of today's businesses providing a wide range of entities from remote employees to business partners and sometimes even to customers, with the ability to connect to sensitive corporate information securely. Long gone are the days of buying a leased line or a dedicated physical network (or fiber) for these types of communications. VPNs provide a simple way to take advantage of the larger public internet by creating virtual...

Read More
Update on the CERT Guide to Coordinated Vulnerability Disclosure

Update on the CERT Guide to Coordinated Vulnerability Disclosure

• CERT/CC Blog
Allen Householder

It's been two years since we originally published the CERT Guide to Coordinated Vulnerability Disclosure. In that time, it's influenced both the US Congress and EU Parliament in their approaches to vulnerability disclosure. I wanted to provide an update on how the Guide is evolving in response to all the feedback we received....

Read More
The Dangers of VHD and VHDX Files

The Dangers of VHD and VHDX Files

• CERT/CC Blog
Will Dormann

Recently, I gave a presentation at BSidesPGH 2019 called Death By Thumb Drive: File System Fuzzing with CERT BFF. (The slides from my presentation are available in the SEI Digital Library.) Although my primary goal was to find bugs in kernel file-system-parsing code, a notable part of my research was investigating attack vectors. In particular, I focused on VHD and VHDX files on Windows systems. In this post, I describe some of the risks associated...

Read More
Comments on Voluntary Voting System Guidelines 2.0 Principles and Guidelines

Comments on Voluntary Voting System Guidelines 2.0 Principles and Guidelines

• CERT/CC Blog
Allen Householder

The U.S. Election Assistance Commission recently held a public comment period on their Voluntary Voting System Guidelines 2.0 Principles and Guidelines. At the CERT/CC, we focus our attention on sectors that are new to (or perhaps slow to adopt) common vendor security practices like Coordinated Vulnerability Disclosure (CVD). To that end, Deana Shick, Jonathan Spring, Art Manion, and I collaborated to provide our feedback to the EAC. The remainder of this post contains the comments...

Read More
Towards Improving CVSS

Towards Improving CVSS

• CERT/CC Blog
Deana Shick

If you are a software vendor, IT administrator, or CSIRT team, you are probably using the Common Vulnerability Scoring System (CVSS) in one way or another. The CERT/CC recently published a white paper entitled Towards Improving CVSS that outlines what we consider to be major challenges with the standard and discusses some ways forward. This post is a summary of that paper; if you are interested, please review the full paper for an elaboration of...

Read More
The CERT Guide to Coordinated Vulnerability Disclosure

The CERT Guide to Coordinated Vulnerability Disclosure

• CERT/CC Blog
Allen Householder

We are happy to announce the release of the CERT® Guide to Coordinated Vulnerability Disclosure (CVD). The guide provides an introduction to the key concepts, principles, and roles necessary to establish a successful CVD process. It also provides insights into how CVD can go awry and how to respond when it does so....

Read More
The Risks of Google Sign-In on iOS Devices

The Risks of Google Sign-In on iOS Devices

• CERT/CC Blog
Will Dormann

The Google Identity Platform is a system that allows you to sign in to applications and other services by using your Google account. Google Sign-In is one such method for providing your identity to the Google Identity Platform. Google Sign-In is available for Android applications and iOS applications, as well as for websites and other devices. Users of Google Sign-In find that it integrates well with the Android platform, but iOS users (iPhone, iPad, etc.)...

Read More
Visualizing CERT BFF String Minimization

Visualizing CERT BFF String Minimization

• CERT/CC Blog
Will Dormann

I've been working on a presentation called CERT BFF - From Start to PoC. In the process of preparing my material, I realized that a visualization could help people understand what happens during the BFF string minimization process....

Read More
When Is a Vulnerability a Safety Issue?

When Is a Vulnerability a Safety Issue?

• CERT/CC Blog
Christopher King

As you may have read in a previous post, the CERT/CC has been actively researching vulnerabilities in the connected vehicles. When we began our research, it became clear that in the realm of cyber-physical systems, safety is king. For regulators, manufacturers, and the consumer, we all want (and expect!) the same thing: a safe vehicle to drive. But what does safety mean in the context of security? This is the precisely the question that the...

Read More
Vulnerability IDs, Fast and Slow

Vulnerability IDs, Fast and Slow

• CERT/CC Blog
Allen Householder

The CERT/CC Vulnerability Analysis team has been engaged in a number of community-based efforts surrounding Coordinated Vulnerability Disclosure lately. I've written previously about our involvement in the NTIA Multistakeholder Process for Cybersecurity Vulnerabilities. Today I'll highlight our ongoing work in the Forum for Incident Response and Security Teams (FIRST). We are currently active in two vulnerability-related working groups within the FIRST organization: the Vulnerability Coordination SIG (recently merged with the NTIA Multiparty Disclosure working group),...

Read More
How to Win Friends and Coordinate a Vulnerability

How to Win Friends and Coordinate a Vulnerability

• CERT/CC Blog
Garret Wassermann

The CERT/CC Vulnerability Analysis team for nearly 30 years now has provided assistance for coordinated vulnerability disclosure (CVD). In a nutshell, we help security researchers communicate with software vendors to resolve security issues, and we get that information in the hands of anyone affected by the vulnerability. The CVD process can be confusing. To help researchers and vendors who are new to CVD, we're announcing a couple of simple but important additions to our CVD...

Read More
E Pluribus, Que? Identifying Vulnerability Disclosure Stakeholders

E Pluribus, Que? Identifying Vulnerability Disclosure Stakeholders

• CERT/CC Blog
Allen Householder

On September 29, Art Manion and I attended the first meeting of the Multistakeholder Process for Cybersecurity Vulnerabilities initiated by the National Telecommunications and Information Administration (NTIA), part of the United States Department of Commerce. There has been ample coverage of the meeting in blogs (e.g., by Dr. Neal Krawetz and by Cris Thomas), mailing lists, and media reports, so I won't attempt to duplicate that information. During the course of the meeting, I became...

Read More
CVSS and the Internet of Things

CVSS and the Internet of Things

• CERT/CC Blog
Dan J. Klinedinst

There has been a lot of press recently about security in Internet of Things (IoT) devices and other non-traditional computing environments. Many of the most talked about presentations at this year's Black Hat and DefCon events were about hacking IoT devices. At the CERT/CC, we coordinate information about and discover vulnerabilities in various devices, and the number of vulnerabilities keeps growing. One thing that I've personally been researching is finding vulnerabilities in vehicles. In recent...

Read More
Comments on BIS Wassenaar Proposed Rule

Comments on BIS Wassenaar Proposed Rule

• CERT/CC Blog
Allen Householder

Art Manion and I recently submitted comments to the Department of Commerce Bureau of Industry and Security on their proposed rule regarding Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items. While our detailed comments are lengthy, we summarize our contributions here....

Read More
Like Nailing Jelly to the Wall: Difficulties in Defining

Like Nailing Jelly to the Wall: Difficulties in Defining "Zero-Day Exploit"

• CERT/CC Blog
Allen Householder

During the Watergate hearings, Senator Howard Baker asked John Dean a now-famous question: "My primary thesis is still: What did the president know, and when did he know it?" If you understand why that question was important, you have some sense as to why I am very concerned that "zero-day exploit capability" appears as an operative phrase in the Department of Commerce Bureau of Industry and Security (BIS) proposed rules to implement the Wassenaar Arrangement...

Read More
The Risks of SSL Inspection

The Risks of SSL Inspection

• CERT/CC Blog
Will Dormann

Recently, SuperFish and PrivDog have received some attention because of the risks that they both introduced to customers because of implementation flaws. Looking closer into these types of applications with my trusty CERT Tapioca VM at hand, I've come to realize a few things. In this blog post, I will explain The capabilities of SSL and TLS are not well understood by many. SSL inspection is much more widespread than I suspected. Many applications that...

Read More
 What's Different About Vulnerability Analysis and Discovery in Emerging Networked Systems?

What's Different About Vulnerability Analysis and Discovery in Emerging Networked Systems?

• CERT/CC Blog
Allen Householder

Hi folks, Allen Householder here. In my previous post, I introduced our recent work in surveying vulnerability discovery for emerging networked systems (ENS). In this post, I continue with our findings from this effort and look at the differences between ENS and traditional computing in the context of vulnerability discovery, analysis, and disclosure....

Read More
Vulnerability Coordination and Concurrency Modeling

Vulnerability Coordination and Concurrency Modeling

• CERT/CC Blog
Allen Householder

Hi, it's Allen. In addition to building fuzzers to find vulnerabilities (and thinking about adding some concurrency features to BFF in the process), I've been doing some work in the area of cybersecurity information sharing and the ways it can succeed or fail. In both my vulnerability discovery and cybersecurity information sharing work, I've found that I often learn the most by examining the failures -- in part because the successes are often just cases...

Read More
Vulnerability Discovery for Emerging Networked Systems

Vulnerability Discovery for Emerging Networked Systems

• CERT/CC Blog
Allen Householder

Hi folks, Allen Householder here. I want to introduce some recent work we're undertaking to look at vulnerability discovery for emerging networked systems (including cyberphysical systems like home automation, networked cars, industrial control systems and the like). In this post I cover the background and motivation for this work, our approach, and some preliminary findings. In future posts I will cover additional results from this effort....

Read More
Taking Control of Linux Exploit Mitigations

Taking Control of Linux Exploit Mitigations

• CERT/CC Blog
Will Dormann

Hey, it's Will. In my last two blog entries, I looked at aspects of two exploit mitigations (NX and ASLR) on the Linux platform. With both cases, Linux left a bit to be desired. In this post, I will explain how to add further exploit protections to Linux....

Read More
Differences Between ASLR on Windows and Linux

Differences Between ASLR on Windows and Linux

• CERT/CC Blog
Will Dormann

Hi folks, it's Will again. In my last blog entry, I discussed a behavior of NX on the Linux platform. Given that NX (or DEP as it's known on the Windows platform) and Address Space Layout Randomization (ASLR) work hand-in-hand, it's worth looking into how ASLR works on Linux. As it turns out, the implementation of ASLR on Linux has some significant differences from ASLR on Windows....

Read More
Feeling Insecure? Blame Your Parent!

Feeling Insecure? Blame Your Parent!

• CERT/CC Blog
Will Dormann

Hey, it's Will. I was recently working on a proof of concept (PoC) exploit using nothing but the CERT BFF on Linux. Most of my experience with writing a PoC has been on Windows, so I figured it would be wise to expand to different platforms. However, once I got to the point of controlling the instruction pointer, I was surprised to discover that there was really nothing standing in the way of achieving code...

Read More
Hacking the CERT FOE

Hacking the CERT FOE

• CERT/CC Blog
Will Dormann

Hey folks, it's Will. Every now and then I encounter an app that doesn't play well with FOE. You don't have to throw your hands up in defeat, though. Because FOE (and BFF) are written in Python, it's pretty easy to modify them to do what you like....

Read More
Prioritizing Malware Analysis

Prioritizing Malware Analysis

• CERT/CC Blog
Jose Morales

Hi, this is Jose Morales, researcher in the CERT:CES team. In early 2012, a backdoor Trojan malware named Flame was discovered in the wild. When fully deployed, Flame proved very hard for malware researchers to analyze. In December of that year, Wired magazine reported that before Flame had been unleashed, samples of the malware had been lurking, undiscovered, in repositories for at least two years. As Wired also reported, this was not an isolated event....

Read More
Analyzing Routing Tables

Analyzing Routing Tables

• CERT/CC Blog
Timur Snoke

Hi, Timur Snoke here with a description of maps I've developed that use Border Gateway Protocol routing tables to show the evolution of public-facing autonomous system numbers. Organizations that route public internet protocol (IP) addresses receive autonomous system numbers (ASNs), which uniquely identify networks on the Internet. To coordinate traffic between ASNs, the Border Gateway Protocol (BGP) advertises available routing paths that network traffic could take to access other IP addresses. BGP tables select and...

Read More
BFF 2.7 on OS X Mavericks

BFF 2.7 on OS X Mavericks

• CERT/CC Blog
Will Dormann

Hi folks, it's Will. Apple has released OS X Mavericks. Because BFF 2.7 was released before Mavericks, BFF doesn't work right out of the box. But it's actually quite simple to get it working....

Read More
Vulnerabilities and Attack Vectors

Vulnerabilities and Attack Vectors

• CERT/CC Blog
Will Dormann

Hi, this is Will Dormann of the CERT Vulnerability Analysis team. One of the responsibilities of a vulnerability analyst is to investigate the attack vectors for potential vulnerabilities. If there isn't an attack vector, then a bug is just a bug, right? In this post, I will describe a few interesting cases that I've been involved with....

Read More
Attaching the Rocket to the Chainsaw - Behind the Scenes of BFF and FOE's Crash Recycler

Attaching the Rocket to the Chainsaw - Behind the Scenes of BFF and FOE's Crash Recycler

• CERT/CC Blog
Allen Householder

Hi folks, Allen Householder here. As Will Dormann's earlier post mentioned, we have recently released the CERT Basic Fuzzing Framework (BFF) v2.7 and the CERT Failure Observation Engine (FOE) v2.1. To me, one of the most interesting additions was the crash recycling feature. In this post, I will take a closer look at this feature and explain why I think it's so interesting....

Read More
Signed Java Applet Security Improvements

Signed Java Applet Security Improvements

• CERT/CC Blog
Will Dormann

Hi folks, it's Will Dormann. A few months ago I published a blog entry called Don't Sign that Applet! that outlined some concerns with Oracle's guidance that all Java applets should be signed. The problem is that with Java versions prior to 7u25, there is nothing that prevents a signed applet from being repurposed by an attacker to execute with full privileges. As it turns out, Java 7u25 introduced features to prevent a Java applet...

Read More
One Weird Trick for Finding More Crashes

One Weird Trick for Finding More Crashes

• CERT/CC Blog
Will Dormann

Hi folks. It's Will Dormann from the CERT Vulnerability Analysis team. Today we're announcing the release of updates to both of our fuzzing tools, the CERT Basic Fuzzing Framework (BFF) version 2.7 and the CERT Failure Observation Engine (FOE) version 2.1. In this blog entry I will describe some of the major changes with these tools....

Read More
One Weird Trick for Finding More Crashes

One Weird Trick for Finding More Crashes

• CERT/CC Blog
Will Dormann

Hi folks. It's Will Dormann from the CERT Vulnerability Analysis team. Today we're announcing the release of updates to both of our fuzzing tools, the CERT Basic Fuzzing Framework (BFF) version 2.7 and the CERT Failure Observation Engine (FOE) version 2.1. In this blog entry I will describe some of the major changes with these tools....

Read More
Practical Math for Your Security Operations - Part 2 of 3

Practical Math for Your Security Operations - Part 2 of 3

• CERT/CC Blog
Vijay Sarvepalli

Hi, this is Vijay Sarvepalli, Security Solutions Engineer in the CERT Division again. In my earlier blog post, I offered some ideas for applying set theory in your SOC (Security Operations Center). This time I introduce you to statistics, specifically standard deviation. Mathematical terms such as standard deviation can seem mysterious for daily security operations. However, I've provided some simple examples to help you analyze network security data using this measurement....

Read More
Mining Ubuntu for Interesting Fuzz Targets

Mining Ubuntu for Interesting Fuzz Targets

• CERT/CC Blog
Jonathan Foote

Hello, Jonathan Foote here. In this post I'll explain how to use information from databases in stock Ubuntu systems to gather the parameters needed to perform corpus distillation (gathering of seed inputs) and fuzzing against the installed default file type handlers in Ubuntu Desktop 12.04. This technique applies to most modern versions of Ubuntu....

Read More
Domains That Are Typos of Other Domains

Domains That Are Typos of Other Domains

• CERT/CC Blog
Jonathan Spring

Hello, this is Jonathan Spring. I've been investigating the usage of domains that are typos of other domains. For example, foogle.com is a typo of google.com, and it's a common one since 'f' is next to 'g' on the standard keyboard. The existing hypothesis has been that typo domains would be used for malicious purposes. Users would commonly mistype the domain they are going to, and some of the less scrupulous domain owners could take...

Read More
Practical Math for Your Security Operations - Part 1 of 3

Practical Math for Your Security Operations - Part 1 of 3

• CERT/CC Blog
Vijay Sarvepalli

Hi, this is Vijay Sarvepalli, Security Solutions Engineer in the CERT Division. Mathematics is part of your daily tasks if you're a security analyst. In this blog post series, I'll explore some practical uses of math in your SOC (Security Operations Center). This pragmatic approach will hopefully help enhance your use of mathematics for network security....

Read More
The Risks of Microsoft Exchange Features that Use Oracle Outside In

The Risks of Microsoft Exchange Features that Use Oracle Outside In

• CERT/CC Blog
Will Dormann

The WebReady and Data Loss Prevention (DLP) features in Microsoft Exchange greatly increase the attack surface of an Exchange server. Specifically, Exchange running on Windows Server 2003 is particularly easy to exploit. It's public knowledge that Microsoft Exchange uses Oracle Outside In. WebReady, which was introduced with Exchange 2007, provides document previews through the use of the Oracle Outside In library. Outside In can decode over 500 different file formats and has a history of...

Read More
Keep Calm and Deploy EMET

Keep Calm and Deploy EMET

• CERT/CC Blog
Vijay Sarvepalli

CVE-2013-1347, the Internet Explorer 8 CGenericElement object use-after-free vulnerability has gotten a lot of press lately because it was used in a "watering hole" attack against several sites....

Read More
Don't Sign that Applet!

Don't Sign that Applet!

• CERT/CC Blog
Will Dormann

Hi, it's Will. I've recently been looking into the state of signed Java applet security. This investigation was triggered by the Oracle blog post IMP: Your Java Applets and Web Start Applications Should Be Signed, which as the title implies, suggests that all Java developers sign their applets, regardless of the privileges required. In this blog entry, I explain why this practice is a bad idea....

Read More
Don't Sign that Applet!

Don't Sign that Applet!

• CERT/CC Blog
Will Dormann

Hi, it's Will. I've recently been looking into the state of signed Java applet security. This investigation was triggered by the Oracle blog post IMP: Your Java Applets and Web Start Applications Should Be Signed, which as the title implies, suggests that all Java developers sign their applets, regardless of the privileges required. In this blog entry, I explain why this practice is a bad idea....

Read More
Watching Domains That Change DNS Servers Frequently

Watching Domains That Change DNS Servers Frequently

• CERT/CC Blog
Leigh Metcalf

Hello, this is Leigh Metcalf of the CERT Network Situational Awareness (NetSA) Team. Timur Snoke and I have discovered some interesting results in our continuing examination of the public Domain Name System (DNS). Our work has been focusing on domains that change their name servers frequently....

Read More
Java in Web Browser: Disable Now!

Java in Web Browser: Disable Now!

• CERT/CC Blog
Art Manion

Hi, it's Will and Art here. We've been telling people to disable Java for years. In fact, the first version of the Securing Your Web Browser document from 2006 provided clear recommendations for disabling Java in web browsers. However, after investigating the Java 7 vulnerability from August, I realized that completely disabling Java in web browsers is not as simple as it should be....

Read More
Forking and Joining Python Coroutines to Collect Coverage Data

Forking and Joining Python Coroutines to Collect Coverage Data

• CERT/CC Blog
Jonathan Foote

In this post I'll explain how to expand on David Beazley's cobroadcast pattern by adding a join capability that can bring multiple forked coroutine paths back together. I'll apply this technique to create a modular Python script that uses gcov, readelf, and other common unix command line utilities to gather code coverage information for an application that is being tested. Along the way I'll use ImageMagick under Ubuntu 12.04 as a running example....

Read More
A Look Inside CERT Fuzzing Tools

A Look Inside CERT Fuzzing Tools

• CERT/CC Blog
Allen Householder

Hi, this is Allen Householder of the CERT Vulnerability Analysis team. If you've been following this blog for a while, you are probably familiar with our fuzzing tools: Dranzer, the CERT Basic Fuzzing Framework (BFF), and the CERT Failure Observation Engine (FOE). While creating tools that can find and analyze vulnerabilities makes up a significant portion of our work in the CERT Vulnerability Analysis team, our focus is on developing and communicating the knowledge we've...

Read More
Updates to CERT Fuzzing Tools (BFF 2.6 & FOE 2.0.1)

Updates to CERT Fuzzing Tools (BFF 2.6 & FOE 2.0.1)

• CERT/CC Blog
Allen Householder

Hi everybody. Allen Householder from the CERT Vulnerability Analysis team here, back with another installment of "What's new in CERT's fuzzing frameworks?" Today we're announcing the release of updates of both our fuzzing tools, the CERT Basic Fuzzing Framework (BFF) version 2.6 and the CERT Failure Observation Engine (FOE) version 2.0.1. The remainder of this post describes the changes in more detail....

Read More
Java 7 Attack Vectors, Oh My!

Java 7 Attack Vectors, Oh My!

• CERT/CC Blog
Art Manion

While researching how to successfully mitigate the recent Java 7 vulnerability (VU#636312, CVE-2012-4681), we (and by "we" I mean "Will Dormann") found quite a mess. In the midst of discussion about exploit activity and the out-of-cycle update from Oracle, I'd like to call attention to a couple other important points....

Read More
Java Security Manager Bypass Vulnerability

Java Security Manager Bypass Vulnerability

• CERT/CC Blog
Art Manion

Last Sunday, another major Java vulnerability (VU#636312) was reported. Until an official update is available, we strongly recommend disabling the Java 7 plug-in for web browsers. This vulnerability is bad news, at least for those of us trying to avoid phishing and drive-by browsing attacks. The vulnerability is caused by a logic bug that allows an applet to grant itself full privileges. More technical details are available in Vulnerability Note VU#636312....

Read More
CERT Failure Observation Engine 2.0 Released

CERT Failure Observation Engine 2.0 Released

• CERT/CC Blog
Allen Householder

Hi folks, Allen Householder from the CERT Vulnerability Analysis team here. Back in April, we released version 1.0 of the CERT Failure Observation Engine (FOE), our fuzzing framework for Windows. Today we're announcing the release of FOE version 2.0. (Here's the download.) Although it has only been a few months since we announced FOE 1.0, our development cycle is such that FOE 2.0 actually reflects nearly a year of additional improvements over the 1.0 release....

Read More
Vulnerability Data Archive

Vulnerability Data Archive

• CERT/CC Blog
Art Manion

With the hope that someone finds the data useful, we're publishing an archive of almost all of the non-sensitive vulnerability information in our vulnerability reports database....

Read More
CERT Basic Fuzzing Framework 2.5 Released

CERT Basic Fuzzing Framework 2.5 Released

• CERT/CC Blog
Allen Householder

Hi folks, Allen Householder here. In addition to the recent introduction of our new Failure Observation Engine (FOE) fuzzing framework for Windows and Linux Triage Tools, we have updated the CERT Basic Fuzzing Framework (BFF) to version 2.5. This post highlights the significant changes....

Read More
CERT Linux Triage Tools 1.0 Released

CERT Linux Triage Tools 1.0 Released

• CERT/CC Blog
Jonathan Foote

As part of the vulnerability discovery work at CERT, we have developed a GNU Debugger (GDB) extension called "exploitable" that classifies Linux application bugs by severity. Version 1.0 of the extension is available for public download here. This blog post contains an overview of the extension and how it works....

Read More
CERT Failure Observation Engine 1.0 Released

CERT Failure Observation Engine 1.0 Released

• CERT/CC Blog
Allen Householder

In May 2010, CERT released the Basic Fuzzing Framework, a Linux-based file fuzzer. We released BFF with the intent to increase awareness and adoption of automated, negative software testing. An often-requested feature is that BFF support the Microsoft Windows platform. To this end, we have worked to create a Windows analog to the BFF: the Failure Observation Engine (FOE). Through our internal testing, we've been able to help identify, coordinate, and fix exploitable vulnerabilities in...

Read More
Vulnerability Severity Using CVSS

Vulnerability Severity Using CVSS

• CERT/CC Blog
Art Manion

If you analyze, manage, publish, or otherwise work with software vulnerabilities, hopefully you've come across the Common Vulnerability Scoring System (CVSS). I'm happy to announce that US-CERT Vulnerability Notes now provide CVSS metrics....

Read More
CNAME flux

CNAME flux

• CERT/CC Blog
Jonathan Spring

Hello this is Jonathan Spring. Recently, Leigh Metcalf and I uncovered some interesting results in our continuing work on properties of the Domain Name System (DNS). Our work involves an unconventional use of CNAME (canonical name) records. Besides an IP address, CNAME records are the only other location a domain may have in the DNS. Instead of an IP address, a CNAME record is a redirection or alias service that points to another name....

Read More
Signed Java and Cisco AnyConnect

Signed Java and Cisco AnyConnect

• CERT/CC Blog
Will Dormann

A few years ago, I published a blog entry called Signed Java Applet Security: Worse than ActiveX? In that entry, I explained the problems that arise when a vulnerability is discovered in a signed Java applet. Let's see how the Cisco AnyConnect vulnerability is affected. US-CERT Vulnerability Note VU#490097 describes a vulnerability in the Cisco AnyConnect ActiveX and Java clients that allows an attacker to download and execute arbitrary code. The vulnerability note indicates that...

Read More
Effectiveness of Microsoft Office File Validation

Effectiveness of Microsoft Office File Validation

• CERT/CC Blog
Will Dormann

Microsoft recently released a component for Office called Office File Validation that is supposed to help protect against attacks using malformed files. Because I recently performed file fuzzing tests on Microsoft Office, I decided to test the effectiveness of Office File Validation....

Read More
A Security Comparison: Microsoft Office vs. Oracle Openoffice

A Security Comparison: Microsoft Office vs. Oracle Openoffice

• CERT/CC Blog
Will Dormann

Recently, Dan Kaminsky published a blog entry that compared the fuzzing resiliency of Microsoft Office and Oracle OpenOffice. This blog entry contains the results from a similar test that I performed in November 2010. Also included are some other aspects of the Office suites that can affect the software's security....

Read More
Announcing the CERT Basic Fuzzing Framework 2.0

Announcing the CERT Basic Fuzzing Framework 2.0

• CERT/CC Blog
Allen Householder

Version 2.0 of the CERT Basic Fuzzing Framework (BFF) made its debut on Valentine's Day at the 2011 CERT Vendor Meeting in San Francisco. This new edition has a lot of cool features that we'll be describing in more detail in future posts, but we wanted to let you know that it's available so that you can download and try it....

Read More

"Network Monitoring for Web-Based Threats" Released

• CERT/CC Blog
Sid Faber

The CERT Network Situational Awareness (NetSA) team has published an SEI technical report on monitoring web-based threats. The report draws on related work such as OWASP but comes from a different point of view. While OWASP is focused on developing web applications securely, this report focuses more on situations where you don't have that control, but you need to protect servers and clients from web-based threats. The report may help you answer the following...

Read More
Blog Reorganization

Blog Reorganization

• CERT/CC Blog
Chad Dougherty

Hi, folks. As you can see, we've changed the name of the Vulnerability Analysis Blog to the CERT/CC Blog. With this name change, we're expanding the focus of the blog to include content from other technical teams. The current RSS and Atom feeds will continue to work, but you may want to update to the corresponding new feed location now (RSS, Atom) in order to avoid any problems in the future. Past blog entries will...

Read More
Study of Malicious Domain Names: TLD Distribution

Study of Malicious Domain Names: TLD Distribution

• CERT/CC Blog
Chad Dougherty

Hello, folks. This post comes to you courtesy of Aaron Shelmire from the Network Situational Awareness team. Aaron writes: Recently the Network Situational Awareness team at CERT has been researching the characteristics of malicious network touchpoints. The findings of this initial research are very telling as to the true state of security on the internet....

Read More
CERT Basic Fuzzing Framework

CERT Basic Fuzzing Framework

• CERT/CC Blog
Will Dormann

Hi folks. I've been involved in a fuzzing effort at CERT. One of the ways that I've been able to discover vulnerabilities is through "dumb" or mutational fuzzing. We have developed a framework for performing automated dumb fuzzing. Today we are releasing a simplified version of automated dumb fuzzing, called the Basic Fuzzing Framework (BFF)....

Read More
Top-10 Top Level and Second Level Domains Found in Malicious Software

Top-10 Top Level and Second Level Domains Found in Malicious Software

• CERT/CC Blog
Chad Dougherty

Hello folks. This post comes to you courtesy of Ed Stoner and Aaron Shelmire from the Network Situational Awareness group at CERT. They write: Recently there have been some statistics published on botnet Command & Control (C2) channels. These statistics claim that 94.58% of botnet C2 channels are under the .com top level domain (TLD). While it's impossible to accurately comment on those statistics without knowing the methodology used to arrive at them, we at...

Read More
Plain Text Email in Outlook Express

Plain Text Email in Outlook Express

• CERT/CC Blog
Will Dormann

Reading email messages in plain text seems like a reasonable thing to do to improve the security of your email client. Plain text takes less processing than HTML, which should help minimize your attack surface, right? As it turns out, Outlook Express (and its derivatives) is doing more than you think when it is configured with the "Read all messages in plain text" option enabled....

Read More
Managing IPv6 - Part 2

Managing IPv6 - Part 2

• CERT/CC Blog
Ryan Giobbi

Past entries have addressed both securing and disabling IPv6. This entry describes ways that administrators can secure their networks and generate test cases to test those settings....

Read More
Managing IPv6 - Part 1

Managing IPv6 - Part 1

• CERT/CC Blog
Ryan Giobbi

This entry is the first in a series about securely configuring the IPv6 protocol on selected operating systems. Although this entry focuses on how to disable IPv6, we are not recommending that everyone immediately disable IPv6. However, if critical parts of your infrastructure (firewall, IDS, etc.) do not yet fully support the IPv6 protocol, consider disabling IPv6 until those components can be upgraded....

Read More
Internet Explorer Kill-Bits

Internet Explorer Kill-Bits

• CERT/CC Blog
Will Dormann

The Kill-Bit (or "killbit") is a Microsoft Windows registry value that prevents an ActiveX control from being used by Internet Explorer. More information is available in Microsoft KB article 240797. If a vulnerability is discovered in an ActiveX control or COM object, a common mitigation is to set the killbit for the control, which will cause Internet Explorer to block use of the control. Or will it?...

Read More
Mitigating Slowloris

Mitigating Slowloris

• CERT/CC Blog
Ryan Giobbi

Slowloris is a denial-of-service (DoS) tool that targets web servers. We have some suggestions about mitigation techniques and workarounds to protect your server. However, use caution if you implement any of these suggestions because they will likely have some unintended side effects....

Read More
Vulnerabilities and Attack Surface

Vulnerabilities and Attack Surface

• CERT/CC Blog
Will Dormann

Two recent US-CERT Vulnerability Notes describe similar issues in the Adobe Reader and Foxit Reader PDF viewing applications. The vulnerabilities, that both applications failed to properly handle JPEG2000 (JPX) data streams, were discovered as part of our Vulnerability Discovery initiative. The two vulnerability notes are quite similar, except for one aspect: attack surface....

Read More
Release of Dranzer ActiveX Fuzzing Tool

Release of Dranzer ActiveX Fuzzing Tool

• CERT/CC Blog
Will Dormann

Hi, it's Will. As previously mentioned, we have been investigating and discovering ActiveX vulnerabilities over the past few years. Today we released the Dranzer tool that we have developed to test ActiveX controls. We've been using the Dranzer ActiveX fuzz testing tool for over three years, and we've found a large number of vulnerabilities with it. I've tagged a few of the US-CERT Vulnerability notes with the "Dranzer" keyword to show the sort of vulnerabilities...

Read More
Bypassing Firewalls with IPv6 Tunnels

Bypassing Firewalls with IPv6 Tunnels

• CERT/CC Blog
Ryan Giobbi

Hello, it's Ryan. We've talked about IPv6 in blog entries and vulnerability notes before. But instead of focusing on IPv6 vulnerabilities, this blog entry will show how functional IPv6 tunneling protocols can be used to bypass IPv4-only firewalls and ACLs. If you'd like a demonstration, watch this video that we created....

Read More
Conficker.C: How Many Are There?

Conficker.C: How Many Are There?

• CERT/CC Blog
Sid Faber

Hello, Sid Faber from the Network Situational Awareness group at CERT. Like just about everyone else, we've been following the Conficker worm for a while and thought some updated stats on the Conficker.C variant might be useful....

Read More
Windows Installer Application Resiliency

Windows Installer Application Resiliency

• CERT/CC Blog
Will Dormann

Hi, it's Will again. Recently, I was investigating the effectiveness of the workarounds for the Adobe Reader JBIG2 vulnerability, and I encountered an unexpected situation. In certain situations, the application resiliency feature of Windows Installer can actually undo some of the steps taken to mitigate a vulnerability....

Read More
Internet Explorer Vulnerability Attack Vectors

Internet Explorer Vulnerability Attack Vectors

• CERT/CC Blog
Will Dormann

Hey, it's Will. I noticed that several blogs, including Trend Micro and McAfee, have been talking about the recent attacks on the Internet Explorer 7 vulnerability that was fixed in MS09-002. An interesting thing about these exploits is the attack vector. The technique used in these attacks has several security impacts that may not be immediately obvious....

Read More
Reference Implementations for Securing Your Web Browser Guidelines

Reference Implementations for Securing Your Web Browser Guidelines

• CERT/CC Blog
Will Dormann

It's Will again, with the first blog entry of 2009. Our Securing Your Web Browser document describes how to make your web browser more secure, but applying all of the necessary changes can be a bit tedious. To make the process easier, we developed reference implementations of the guidelines for both Microsoft Internet Explorer and Mozilla Firefox....

Read More
Recommendations to Vendors for Communicating Product Security Information

Recommendations to Vendors for Communicating Product Security Information

• CERT/CC Blog
Chad Dougherty

Hi, this is Chad Dougherty of the Vulnerability Analysis team. One of the important roles that our team plays is coordinating vulnerability information among a broad range of vendors. Over the years, we have gained a considerable amount of experience communicating with vendors of all shapes and sizes. Based on this experience, we can offer some guidance to vendors about communicating product security issues....

Read More
Filtering ICMPv6 Using Host-Based Firewalls

Filtering ICMPv6 Using Host-Based Firewalls

• CERT/CC Blog
Ryan Giobbi

Hey, it's Ryan. This blog entry contains some quick recommendations about filtering certain ICMPv6 types using two host-based firewalls--Linux ip6tables and Microsoft Vista's advfirewall. If you have suggestions or other ideas, let me know....

Read More
Reported Vulnerability in CERT Secure Coding Standards Website

Reported Vulnerability in CERT Secure Coding Standards Website

• CERT/CC Blog
Will Dormann

Hi, it's Will. Recently, a blog author reported that the CERT® Secure Coding Standards website, which runs on Atlassian Confluence, contained a SQL injection vulnerability. After analyzing the report and discussing it with the Confluence vendor, we have concluded that the behavior described is not a vulnerability....

Read More
Ping Sweeping in IPv6

Ping Sweeping in IPv6

• CERT/CC Blog
Ryan Giobbi

Hello, its Ryan. We've noticed a misconception about IPv6 that is popular on the internet: that IPv6 addresses are hard to ping sweep because there are so many possible addresses. Ping sweeping can lead to port scanning, so this misconception is viewed as a security feature. In this post, I'll prove that, while it won't work across the internet, ping sweeping on the local network is easier in IPv6 than in IPv4....

Read More
Carpet Bombing and Directory Poisoning

Carpet Bombing and Directory Poisoning

• CERT/CC Blog
Will Dormann

Hey, it's Will. Earlier this year, details about "carpet bombing" attacks were released. Apple addressed the issue by prompting users before downloading files, but recent news indicates that Google Chrome, which is based on Apple's WebKit code, is also vulnerable to the same type of attack. However, some people seem to be missing an aspect of the attack that affects all web browsers....

Read More
Safely Using Package Managers

Safely Using Package Managers

• CERT/CC Blog
Ryan Giobbi

Hi, it's Ryan. Package managers partially automate the process of installing and removing software packages. Most package managers use cryptographic signatures to verify the integrity of packages. In the article Attacks on Package Managers, the authors describe how an attacker can abuse package managers that use digital signatures....

Read More
ActiveX Vulnerability Discovery at the CERT/CC

ActiveX Vulnerability Discovery at the CERT/CC

• CERT/CC Blog
Will Dormann

Hi, it's Will. Anybody who has been keeping an eye on the US-CERT Vulnerability Notes has probably noticed that I've published a lot of ActiveX vulnerabilities. So it should be no surprise to learn that we have been testing ActiveX controls and discovering vulnerabilities in the process....

Read More
Signed Java Applet Security: Worse than ActiveX?

Signed Java Applet Security: Worse than ActiveX?

• CERT/CC Blog
Will Dormann

Hi, it's Will again. ActiveX vulnerabilities seem to be getting a lot of attention lately. However, Java applets are also a concern. The classic understanding of a Java applet is that it runs in a sandbox in your web browser. This model prevents a Java applet from accessing sensitive resources, such as your file system or registry. So, barring vulnerabilities in the Java Virtual Machine (JVM), Java applets should not have the ability to do...

Read More
Is Your Adobe Flash Player Updated?

Is Your Adobe Flash Player Updated?

• CERT/CC Blog
Will Dormann

Hey, it's Will. As you may already be aware, there is active exploitation of a vulnerability in Adobe Flash. So, it's a good idea to make sure that you have the latest version of Flash Player, which, at the time of this writing, is 9.0.124.0. Even if you think that you are up to date, can you be sure?...

Read More
Who Has My Cookies?

Who Has My Cookies?

• CERT/CC Blog
Ryan Giobbi

Hi, Ryan Giobbi from the Vulnerability Analysis team making this post. The CERT/CC has been tracking cross-site scripting vulnerabilities for a long time, and the actual vulnerabilities haven't changed much over the years. However, some technology that was developed to make life easier can actually be exploited to expand the impact of a cross-site scripting attack. Single sign-on is an access-control technology that enables a user to login once and gain access to multiple systems....

Read More
The Dangers of Windows AutoRun

The Dangers of Windows AutoRun

• CERT/CC Blog
Will Dormann

Hi, this is Will Dormann of the CERT/CC Vulnerability Analysis team. A few months ago, reports of infected digital picture frames hit the media. I was curious about how the malicious code was being executed, so I began investigating the Microsoft AutoRun and AutoPlay features....

Read More
Vulnerability Analysis at the CERT/CC

Vulnerability Analysis at the CERT/CC

• CERT/CC Blog
Art Manion

Hi, this is Art Manion, the Vulnerability Analysis team lead at the CERT Coordination Center (CERT/CC). For our first blog entry, I'd like to briefly explain our efforts to reduce software vulnerabilities....

Read More