search menu icon-carat-right cmu-wordmark

CERT/CC Blog

Vulnerability Insights

Latest Posts

Filtering ICMPv6 Using Host-Based Firewalls

Filtering ICMPv6 Using Host-Based Firewalls

• CERT/CC Blog
Ryan Giobbi

Hey, it's Ryan. This blog entry contains some quick recommendations about filtering certain ICMPv6 types using two host-based firewalls--Linux ip6tables and Microsoft Vista's advfirewall. If you have suggestions or other ideas, let me know....

Read More
Reported Vulnerability in CERT Secure Coding Standards Website

Reported Vulnerability in CERT Secure Coding Standards Website

• CERT/CC Blog
Will Dormann

Hi, it's Will. Recently, a blog author reported that the CERT® Secure Coding Standards website, which runs on Atlassian Confluence, contained a SQL injection vulnerability. After analyzing the report and discussing it with the Confluence vendor, we have concluded that the behavior described is not a vulnerability....

Read More
Ping Sweeping in IPv6

Ping Sweeping in IPv6

• CERT/CC Blog
Ryan Giobbi

Hello, its Ryan. We've noticed a misconception about IPv6 that is popular on the internet: that IPv6 addresses are hard to ping sweep because there are so many possible addresses. Ping sweeping can lead to port scanning, so this misconception is viewed as a security feature. In this post, I'll prove that, while it won't work across the internet, ping sweeping on the local network is easier in IPv6 than in IPv4....

Read More
Carpet Bombing and Directory Poisoning

Carpet Bombing and Directory Poisoning

• CERT/CC Blog
Will Dormann

Hey, it's Will. Earlier this year, details about "carpet bombing" attacks were released. Apple addressed the issue by prompting users before downloading files, but recent news indicates that Google Chrome, which is based on Apple's WebKit code, is also vulnerable to the same type of attack. However, some people seem to be missing an aspect of the attack that affects all web browsers....

Read More
Safely Using Package Managers

Safely Using Package Managers

• CERT/CC Blog
Ryan Giobbi

Hi, it's Ryan. Package managers partially automate the process of installing and removing software packages. Most package managers use cryptographic signatures to verify the integrity of packages. In the article Attacks on Package Managers, the authors describe how an attacker can abuse package managers that use digital signatures....

Read More
ActiveX Vulnerability Discovery at the CERT/CC

ActiveX Vulnerability Discovery at the CERT/CC

• CERT/CC Blog
Will Dormann

Hi, it's Will. Anybody who has been keeping an eye on the US-CERT Vulnerability Notes has probably noticed that I've published a lot of ActiveX vulnerabilities. So it should be no surprise to learn that we have been testing ActiveX controls and discovering vulnerabilities in the process....

Read More
Signed Java Applet Security: Worse than ActiveX?

Signed Java Applet Security: Worse than ActiveX?

• CERT/CC Blog
Will Dormann

Hi, it's Will again. ActiveX vulnerabilities seem to be getting a lot of attention lately. However, Java applets are also a concern. The classic understanding of a Java applet is that it runs in a sandbox in your web browser. This model prevents a Java applet from accessing sensitive resources, such as your file system or registry. So, barring vulnerabilities in the Java Virtual Machine (JVM), Java applets should not have the ability to do...

Read More
Is Your Adobe Flash Player Updated?

Is Your Adobe Flash Player Updated?

• CERT/CC Blog
Will Dormann

Hey, it's Will. As you may already be aware, there is active exploitation of a vulnerability in Adobe Flash. So, it's a good idea to make sure that you have the latest version of Flash Player, which, at the time of this writing, is 9.0.124.0. Even if you think that you are up to date, can you be sure?...

Read More