Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
designed to bring recent news about CVE, such as new compatible products, new website
features, CVE in the news, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for cyber security vulnerability names. CVE content is
approved by the CVE Editorial Board, which is comprised of leading representatives from
the information security community. CVE Numbering Authorities (CNAs) are major OS
vendors, security researchers, and research organizations that assign CVE Identifiers to
newly discovered issues without directly involving MITRE in the details of the specific
vulnerabilities, and include the CVE Identifiers in the first public disclosure of the
vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are
at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/March 15, 2016
-------------------------------------------------------
Contents:
1. Important Message from the CVE Project
2. CVE Mentioned in Article about Tripwire's "2016 Patch Management Study" on Dark
Reading
3. CVE Mentioned in Article about the DROWN Vulnerability on Softpedia
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
Important Message from the CVE Project
CVE has been experiencing an unprecedented demand for vulnerability IDs. We look forward
to working with the CVE Editorial Board and the broader vulnerability management
community to significantly improve stakeholder communication, and improve and scale CVE
operations to reduce ID assignment response times and increase product coverage. Details
as they become available will be posted to http://cve.mitre.org/.
LINKS:
CVE List - https://cve.mitre.org/cve/
CVE Editorial Board - https://cve.mitre.org/community/board/
Questions - cve@mitre.org
---------------------------------------------------------------
CVE Mentioned in Article about Tripwire's "2016 Patch Management Study" on Dark Reading
CVE is mentioned in a March 8, 2016 article entitled "Patch Management Still Plagues
Enterprise" on Dark Reading. The main topic of the article is that "In spite of years of
data showing effective patch management to be some of the lowest-hanging fruit in
improving IT risk management, half of enterprises today still aren't getting it right.
So says a new survey out today [by Tripwire, Inc.], which queried over 480 IT
professionals on their patch management practices."
CVE is mentioned in a quote by Tim Erlin, Director, Product Management, Security and IT
Risk Strategist at Tripwire, who states: "The fact is that we, as an industry,
consistently conflate vulnerabilities with patches. They are not the same thing! The
fact is, we identify known vulnerabilities with CVE IDs, and vendors release increments
of code that address some of those CVE IDs. It's not a one-to-one relationship, except
when it is, and bundles are common, except from vendors who don't roll up patches.
Sometimes patches don't fix all the vulnerabilities, and sometimes they fix multiple
vulnerabilities on some platforms but not others. Sometimes a patch is an upgrade,
sometimes it's not, and sometimes you can apply an individual patch or an upgrade to fix
disparate but overlapping sets of vulnerabilities."
The "Tripwire 2016 Patch Management Study" findings are free to read at
http://www.tripwire.com/company/research/tripwire-2016-patch-management-study/.
LINKS:
Dark Reading article -
http://www.darkreading.com/endpoint/patch-management-still-plagues-enterprise/d/d-id/132
4615
CVE-IDs -
https://cve.mitre.org/cve
News page article -
https://cve.mitre.org/news/index.html#march102016_CVE_Mentioned_in_Article_about_Tripwir
e%27s_2016_Patch_Management_Study_on_Dark_Reading
---------------------------------------------------------------
CVE is mentioned in a March 1, 2016 article entitled "A Third of All HTTPS Websites Are
Vulnerable to the DROWN Attack" on Softpedia.
CVE is mentioned when the author states: "The OpenSSL project has released versions
1.0.2g and 1.0.1s to address a high severity security issue known as the DROWN attack
(CVE-2016-0800) which allows attackers to break HTTPS and steal encrypted information.
DROWN stands for "Decrypting RSA using Obsolete and Weakened eNcryption" and . At its
core, the principle behind the DROWN attack relies on the presence of both the SSLv2 and
TLS protocols on target machines. DROWN is a cross-protocol attack, meaning it will use
weaknesses in the SSLv2 implementation against TLS."
Visit the CVE Identifier page for CVE-2015-0800 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0800 to learn more about this
issue.
LINKS:
Softpedia article -
http://news.softpedia.com/news/a-third-of-all-https-websites-are-vulnerable-to-the-drown
-attack-501202.shtml
CVE-IDs -
https://cve.mitre.org/cve
News page article -
https://cve.mitre.org/news/index.html#march22016_CVE_Mentioned_in_Article_about_the_DROW
N_Vulnerability_on_Softpedia
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about Three Critical Chrome Vulnerabilities on ThreatPost
* CVE Mentioned in Article about Multiple Android Vulnerabilities on InfoWorld
* CVE Mentioned in Article about Microsoft's Patch Tuesday Fixes for March on ThreatPost
* CVE Mentioned in Article about Vulnerabilities in Adobe Acrobat and Reader on
ThreatPost
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Editorial Board and CVE Numbering Authorities on all matters related
to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE Web site at https://cve.mitre.org or send
an email to cve@mitre.org.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment