Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is designed to bring recent news about CVE, such as new compatible products, new website features, CVE in the news, etc. right to your email box. Common Vulnerabilities and Exposures (CVE) is the standard for cyber security vulnerability names. CVE content is approved by the CVE Editorial Board, which is comprised of leading representatives from the information security community. CVE Numbering Authorities (CNAs) are major OS vendors, security researchers, and research organizations that assign CVE Identifiers to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE Identifiers in the first public disclosure of the vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/December 11, 2015
-------------------------------------------------------
Contents:
1. CVE Included in ITU's "Security in Telecommunications and Information Technology 2015"
2. CVE Mentioned in Article about Apple's December Security Fixes for OS X and iOS on eWeek
3. CVE Mentioned in Article about Microsoft's Patch Tuesday Fixes for December on Threatpost
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE Included in ITU's "Security in Telecommunications and Information Technology 2015"
CVE is included in a September 2015 technical report entitled "Security in Telecommunications and Information Technology 2015" on the International Telecommunication Union (ITU) website. The main topic of the report is an "overview of issues and the deployment of existing ITU-T Recommendations for secure telecommunications."
CVE is mentioned in "Chapter 11 - Cybersecurity and incident response," as the main topic of section "11.1.2 Exchange of vulnerability information," as follows: "Recommendation ITU-T X.1520 on the common vulnerabilities and exposures (CVE) provides a structured means to exchange information on security vulnerabilities and exposures and provides a common identifier for publicly-known problems. This Recommendation defines the use of CVE to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this common identifier. This Recommendation is designed to allow vulnerability databases and other capabilities to be used together, and to facilitate the comparison of security tools and services. CVE contains only the standard identifier number with status indicator, a brief description, and references to related vulnerability reports and advisories. (It does not contain information such as risk, impact, fix information, or detailed technical information).The primary focus of CVE is to identify known vulnerabilities and exposures that are detected by security tools along with any new problems that are detected."
In addition, Common Vulnerability Scoring System (CVSS) is the main topic of section 11.1.3 Vulnerability scoring," and DHS's Common Weakness Enumeration (CWE) is the main topic of section "11.1.4 Exchange of weakness information," Common Weakness Scoring System (CWSS) is the main topic of section "11.1.5 Weakness scoring," and Common Attack Pattern Enumeration and Classification (CAPEC) is the main topic of section "11.1.5 Exchange of attack pattern information," and Malware Attribute Enumeration and Characterization (MAEC) is the main topic of section "11.1.7 Exchange of malware characteristics information."
LINKS:
Report –
http://www.itu.int/dms_pub/itu-t/opb/tut/T-TUT-SEC-2015-PDF-E.pdf
"Recommendation ITU-T X.1520 Common Vulnerabilities and Exposures (CVE)" -
http://www.itu.int/rec/T-REC-X.1520/en
CVE-
https://cve.mitre.org/
CVSS-
https://www.first.org/cvss
CWE-
https://cwe.mitre.org/
CWSS-
https://cwe.mitre.org/cwss/
CAPEC-
https://capec.mitre.org/
News page article -
https://cve.mitre.org/news/index.html#december102015_CVE_Included_in_ITU's_Security_in_Telecommunications_and_Information_Technology_2015
---------------------------------------------------------------
CVE Mentioned in Article about Apple's December Security Fixes for OS X and iOS on eWeek
CVE is mentioned in a December 9, 2015 article entitled "Apple Updates OS X, iOS With Numerous Security Fixes" on eWeek. The main topic of the article is "security updates for [Apple's] desktop Mac OS X 10.11 and mobile iOS 9 operating systems … including networking, graphics and wireless operations."
The CVE-IDs cited in this article include the following: CVE-2015-7110, CVE-2015-7078, CVE-2015-7106, CVE-2015-7077, CVE-2015-7112, CVE-2015-7068, CVE-2015-7083, CVE-2015-7084, CVE-2015-7047, CVE-2015-7112, CVE-2015-7068, CVE-2015-7094, CVE-2015-7073, CVE-2015-7015, CVE-2015-7037, and CVE-2015-7080.
In addition, Apple is a CVE Numbering Authority (CNA), assigning CVE-IDs for Apple issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.
LINKS:
Article –
http://www.eweek.com/security/apple-updates-os-x-ios-with-numerous-security-fixes.html
CVE-IDs -
https://cve.mitre.org/cve/cna.html
CVE Numbering Authorities -
https://cve.mitre.org/cve/cna.html
News page article -
https://cve.mitre.org/news/index.html#december102015_CVE_Mentioned_in_Article_about_Apple's_December_Security_Fixes_for_OS_X_and_iOS_on_eWeek
---------------------------------------------------------------
CVE Mentioned in Article about Microsoft's Patch Tuesday Fixes for December on Threatpost
CVE is mentioned in a December 8, 2015 article entitled "Microsoft Patches 71 Flaws, Two Under Attack; Warns of Leaked XBox Live Cert" on Threatpost. The main topic of the article are the fixes included in Microsoft's Patch Tuesday for December.
CVE is first mentioned in the article with regard to the two vulnerabilities currently under attack, as follows: "… Microsoft released a dozen bulletins today, eight of which it rates as Critical—in particular, the two vulnerabilities currently under attack. The Office vulnerability, CVE-2015-6124, is one of six patched in MS15-131, and is described only as a memory-corruption vulnerability, one of five such flaws patched in the bulletin." "The other vulnerability under attack, CVE-2015-6175, is a kernel memory elevation of privilege in Windows; it's one of four such flaws patched in MS15-135. An attacker would need local access and privileges to a vulnerable Windows client or server, and a successful exploit would allow an attacker to install malware or manipulate data on the compromised computer."
In addition, Microsoft is a CVE Numbering Authority (CNA), assigning CVE-IDs for Microsoft issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.
Visit CVE-2015-6124 (https://cve.mitre.org/cvename.cgi?name=CVE-2015-6124) and CVE-2015-6175 (https://cve.mitre.org/cvename.cgi?name=CVE-2015-6175) to learn more about these issues.
LINKS:
Article –
https://threatpost.com/microsoft-patches-71-flaws-two-under-attack-warns-of-leaked-xbox-live-cert/115601/#sthash.9yFJFG9q.dpuf
CVE-IDs -
https://cve.mitre.org/cve/cna.html
CVE Numbering Authorities -
https://cve.mitre.org/cve/cna.html
News page article -
https://cve.mitre.org/news/index.html#december102015_CVE_Mentioned_in_Article_about_Microsoft's_Patch_Tuesday_Fixes_for_December_on_Threatpost
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about Two Critical JavaScript Vulnerabilities on InfoWorld
* CVE Mentioned in Article about Effect of Android's Stagefright Vulnerability in Q3-2015 on DataQuest
* CVE Mentioned in Press Release about Container Security for Enterprise Computing
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Cyber Security Technical Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical guidance to the CVE Editorial Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the message to: listserv@lists.mitre.org. To subscribe, send an email message to listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".
Copyright 2015, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications) at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE Web site at https://cve.mitre.org or send an email to cve@mitre.org.
No comments:
Post a Comment