search menu icon-carat-right cmu-wordmark

CERT/CC Blog

Vulnerability Insights

Latest Posts

CERT Linux Triage Tools 1.0 Released

CERT Linux Triage Tools 1.0 Released

• CERT/CC Blog
Jonathan Foote

As part of the vulnerability discovery work at CERT, we have developed a GNU Debugger (GDB) extension called "exploitable" that classifies Linux application bugs by severity. Version 1.0 of the extension is available for public download here. This blog post contains an overview of the extension and how it works....

Read More
CERT Failure Observation Engine 1.0 Released

CERT Failure Observation Engine 1.0 Released

• CERT/CC Blog
Allen Householder

In May 2010, CERT released the Basic Fuzzing Framework, a Linux-based file fuzzer. We released BFF with the intent to increase awareness and adoption of automated, negative software testing. An often-requested feature is that BFF support the Microsoft Windows platform. To this end, we have worked to create a Windows analog to the BFF: the Failure Observation Engine (FOE). Through our internal testing, we've been able to help identify, coordinate, and fix exploitable vulnerabilities in...

Read More
Vulnerability Severity Using CVSS

Vulnerability Severity Using CVSS

• CERT/CC Blog
Art Manion

If you analyze, manage, publish, or otherwise work with software vulnerabilities, hopefully you've come across the Common Vulnerability Scoring System (CVSS). I'm happy to announce that US-CERT Vulnerability Notes now provide CVSS metrics....

Read More
CNAME flux

CNAME flux

• CERT/CC Blog
Jonathan Spring

Hello this is Jonathan Spring. Recently, Leigh Metcalf and I uncovered some interesting results in our continuing work on properties of the Domain Name System (DNS). Our work involves an unconventional use of CNAME (canonical name) records. Besides an IP address, CNAME records are the only other location a domain may have in the DNS. Instead of an IP address, a CNAME record is a redirection or alias service that points to another name....

Read More
Challenges in Network Monitoring above the Enterprise

Challenges in Network Monitoring above the Enterprise

• CERT/CC Blog
Jonathan Spring

Recently George Jones and I attended USENIX Security '11. We hosted an evening Birds of a Feather (BoF) session where we asked a question of some significance to our CERT® Network Situational Awareness (NetSA) group: Is Large-Scale Network Security Monitoring Still Worth the Effort? One of the foundational principles behind most organizations' network security practices is still "defense in depth," which is implemented using a variety of security controls and monitoring at different locations...

Read More
Signed Java and Cisco AnyConnect

Signed Java and Cisco AnyConnect

• CERT/CC Blog
Will Dormann

A few years ago, I published a blog entry called Signed Java Applet Security: Worse than ActiveX? In that entry, I explained the problems that arise when a vulnerability is discovered in a signed Java applet. Let's see how the Cisco AnyConnect vulnerability is affected. US-CERT Vulnerability Note VU#490097 describes a vulnerability in the Cisco AnyConnect ActiveX and Java clients that allows an attacker to download and execute arbitrary code. The vulnerability note indicates that...

Read More
Effectiveness of Microsoft Office File Validation

Effectiveness of Microsoft Office File Validation

• CERT/CC Blog
Will Dormann

Microsoft recently released a component for Office called Office File Validation that is supposed to help protect against attacks using malformed files. Because I recently performed file fuzzing tests on Microsoft Office, I decided to test the effectiveness of Office File Validation....

Read More
A Security Comparison: Microsoft Office vs. Oracle Openoffice

A Security Comparison: Microsoft Office vs. Oracle Openoffice

• CERT/CC Blog
Will Dormann

Recently, Dan Kaminsky published a blog entry that compared the fuzzing resiliency of Microsoft Office and Oracle OpenOffice. This blog entry contains the results from a similar test that I performed in November 2010. Also included are some other aspects of the Office suites that can affect the software's security....

Read More