This email newsletter is designed to bring recent news about CVE,
such as new versions, upcoming conferences, new Web site features,
etc. right to your emailbox. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability
names. CVE content results from the collaborative efforts of the
CVE Editorial Board, which is comprised of leading representatives
from the information security community. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please
feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/May 8, 2008
-------------------------------------------------------
Contents:
1. Feature Story
2. Also in this Issue
3. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE Identifiers Used throughout "Microsoft Security Intelligence
Report"
CVE Identifiers were used to identify the security issues under
analyses in Microsoft Corporation.s recently released "Microsoft
Security Intelligence Report," Volume 4, (July through December
2007). The report provides an "in-depth perspective on the
changing threat landscape including software vulnerability
disclosures and exploits, malicious software (malware), and
potentially unwanted software."
CVE Identifiers were used to "normalize the data set" with each
exploit "matched with its corresponding vulnerability using Common
Vulnerabilities and Exposures (CVE) identifiers and Microsoft
security bulletins." "Each Microsoft security bulletin may address
multiple vulnerabilities, so the Microsoft security
bulletin-to-CVE translation isn.t a one-to-one correlation.
Researchers used information provided by the Microsoft Security
Response Center (MSRC), the CVE, the NVD, and SecurityPatch.org to
create a final MSRC-to-CVE mapping." Results of these mapping are
discussed throughout the report, summarized in a chart entitled
"Exploits in select Microsoft products by CVE identifier,
2006-2007," and reviewed in detail in "Appendix B: Exploit Counts
by Microsoft Security Bulletin and CVE ID."
The report also uses the U.S. National Institute of Standards and
Technology.s (NIST) U.S. National Vulnerability Database (NVD) and
the Forum of Incident Response and Security Teams. (FIRST) Common
Vulnerability Scoring System (CVSS).
NVD and CVE are sponsored by the National Cyber Security Division
of the U.S. Department of Homeland Security.
LINKS:
Microsoft Security Intelligence Report -
http://www.microsoft.com/security/portal/sir.aspx
CVE List - http://cve.mitre.org/cve
NVD - http://nvd.nist.gov
CVSS - http://www.first.org/cvss
-------------------------------------------------------------
ALSO IN THIS ISSUE:
* IBM Internet Security Systems Posts CVE Compatibility
Questionnaire
* Trustwave Makes Declaration of CVE Compatibility
* MITRE Presents 'Making Security Measurable' Briefing at "CSI
Security Exchange 2008" on April 27
* MITRE Presents 'Making Security Measurable' Briefing at "GOVSEC"
on April 24
Read these stories and more news at http://cve.mitre.org/news
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: David Mann, Information Security Technical
Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org)
maintains CVE and provides impartial technical guidance to the CVE
Editorial Board on all matters related to ongoing development of
CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new
email message and copy the following text to the BODY of the
message "SIGNOFF CVE-Announce-list", then send the message to:
listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of
the message: "SUBSCRIBE CVE-Announce-List".
Copyright 2008, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.
For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cve@mitre.org. Learn more
about Making Security Measurable at
No comments:
Post a Comment