search menu icon-carat-right cmu-wordmark

CERT/CC Blog

Vulnerability Insights

Latest Posts

The Growth of IPv6 Announcements

The Growth of IPv6 Announcements

• CERT/CC Blog
Leigh Metcalf

Hi, this is Leigh Metcalf again with my colleague Rhiannon Weaver. IPv6, the replacement for IPv4, has been heavily marketed. To consider exactly how popular IPv6 is on the internet, one method is to examine the number of autonomous systems (ASes) that announce IPv6....

Read More
An Alternate View of Announced IPv4 Space

An Alternate View of Announced IPv4 Space

• CERT/CC Blog
Leigh Metcalf

In my previous post, I examined the total amount of IPv4 space announced and presented cumulative graphics. While this view is useful in determining how much IPv4 space is announced, it doesn't say much about which IPv4 space is announced....

Read More
The Growth Rate of IP Addresses That Are Advertised as Usable on the Internet

The Growth Rate of IP Addresses That Are Advertised as Usable on the Internet

• CERT/CC Blog
Leigh Metcalf

Hi, this is Leigh Metcalf of the Network Situational Awareness Team. Recently, I have been considering the amount of IPv4 space that is announced on the Internet. All blocks have been allocated, but how many are actually being used? To investigate this, I examined the routing tables to determine which networks were announced on the internet as usable from January 1, 2009 through December 31, 2012....

Read More
Watching Domains That Change DNS Servers Frequently

Watching Domains That Change DNS Servers Frequently

• CERT/CC Blog
Leigh Metcalf

Hello, this is Leigh Metcalf of the CERT Network Situational Awareness (NetSA) Team. Timur Snoke and I have discovered some interesting results in our continuing examination of the public Domain Name System (DNS). Our work has been focusing on domains that change their name servers frequently....

Read More
Anatomy of Java Exploits

Anatomy of Java Exploits

• CERT/CC Blog
Art Manion

On behalf of the real author, my colleague David Svoboda (and a couple others who work on the CERT Secure Coding Initiative), here's a post analyzing recent Java exploits....

Read More
Java in Web Browser: Disable Now!

Java in Web Browser: Disable Now!

• CERT/CC Blog
Art Manion

Hi, it's Will and Art here. We've been telling people to disable Java for years. In fact, the first version of the Securing Your Web Browser document from 2006 provided clear recommendations for disabling Java in web browsers. However, after investigating the Java 7 vulnerability from August, I realized that completely disabling Java in web browsers is not as simple as it should be....

Read More
Forking and Joining Python Coroutines to Collect Coverage Data

Forking and Joining Python Coroutines to Collect Coverage Data

• CERT/CC Blog
Jonathan Foote

In this post I'll explain how to expand on David Beazley's cobroadcast pattern by adding a join capability that can bring multiple forked coroutine paths back together. I'll apply this technique to create a modular Python script that uses gcov, readelf, and other common unix command line utilities to gather code coverage information for an application that is being tested. Along the way I'll use ImageMagick under Ubuntu 12.04 as a running example....

Read More
A Look Inside CERT Fuzzing Tools

A Look Inside CERT Fuzzing Tools

• CERT/CC Blog
Allen Householder

Hi, this is Allen Householder of the CERT Vulnerability Analysis team. If you've been following this blog for a while, you are probably familiar with our fuzzing tools: Dranzer, the CERT Basic Fuzzing Framework (BFF), and the CERT Failure Observation Engine (FOE). While creating tools that can find and analyze vulnerabilities makes up a significant portion of our work in the CERT Vulnerability Analysis team, our focus is on developing and communicating the knowledge we've...

Read More