search menu icon-carat-right cmu-wordmark

CERT/CC Blog

Vulnerability Insights

Latest Posts

Safely Using Package Managers

Safely Using Package Managers

• CERT/CC Blog
Ryan Giobbi

Hi, it's Ryan. Package managers partially automate the process of installing and removing software packages. Most package managers use cryptographic signatures to verify the integrity of packages. In the article Attacks on Package Managers, the authors describe how an attacker can abuse package managers that use digital signatures....

Read More
ActiveX Vulnerability Discovery at the CERT/CC

ActiveX Vulnerability Discovery at the CERT/CC

• CERT/CC Blog
Will Dormann

Hi, it's Will. Anybody who has been keeping an eye on the US-CERT Vulnerability Notes has probably noticed that I've published a lot of ActiveX vulnerabilities. So it should be no surprise to learn that we have been testing ActiveX controls and discovering vulnerabilities in the process....

Read More
Signed Java Applet Security: Worse than ActiveX?

Signed Java Applet Security: Worse than ActiveX?

• CERT/CC Blog
Will Dormann

Hi, it's Will again. ActiveX vulnerabilities seem to be getting a lot of attention lately. However, Java applets are also a concern. The classic understanding of a Java applet is that it runs in a sandbox in your web browser. This model prevents a Java applet from accessing sensitive resources, such as your file system or registry. So, barring vulnerabilities in the Java Virtual Machine (JVM), Java applets should not have the ability to do...

Read More
Is Your Adobe Flash Player Updated?

Is Your Adobe Flash Player Updated?

• CERT/CC Blog
Will Dormann

Hey, it's Will. As you may already be aware, there is active exploitation of a vulnerability in Adobe Flash. So, it's a good idea to make sure that you have the latest version of Flash Player, which, at the time of this writing, is 9.0.124.0. Even if you think that you are up to date, can you be sure?...

Read More
Who Has My Cookies?

Who Has My Cookies?

• CERT/CC Blog
Ryan Giobbi

Hi, Ryan Giobbi from the Vulnerability Analysis team making this post. The CERT/CC has been tracking cross-site scripting vulnerabilities for a long time, and the actual vulnerabilities haven't changed much over the years. However, some technology that was developed to make life easier can actually be exploited to expand the impact of a cross-site scripting attack. Single sign-on is an access-control technology that enables a user to login once and gain access to multiple systems....

Read More
The Dangers of Windows AutoRun

The Dangers of Windows AutoRun

• CERT/CC Blog
Will Dormann

Hi, this is Will Dormann of the CERT/CC Vulnerability Analysis team. A few months ago, reports of infected digital picture frames hit the media. I was curious about how the malicious code was being executed, so I began investigating the Microsoft AutoRun and AutoPlay features....

Read More
Vulnerability Analysis at the CERT/CC

Vulnerability Analysis at the CERT/CC

• CERT/CC Blog
Art Manion

Hi, this is Art Manion, the Vulnerability Analysis team lead at the CERT Coordination Center (CERT/CC). For our first blog entry, I'd like to briefly explain our efforts to reduce software vulnerabilities....

Read More