When discussing today's many vulnerabilities, people can use CVE to make sure that they refer to the same flaw....
Suppose I were to tell you that I was hacked yesterday with a buffer-overflow attack in vendor XYZ's Web server. "Oh man!" you might respond, "I was hacked with a buffer overflow in XYZ's Web server as well. It must have been the same exploit!" With CVE, however, I can say, "I was hit with CVE-2007-1234." You might respond, "Oh, I got snagged by CVE-2007-5678." We could then rapidly conclude that while the issue was in the same software product, it was indeed a different vulnerability that we each suffered from. This consistent nomenclature is helpful in our business. Mitre has also started the Common Malware Enumeration project (CME), which aims to apply a consistent naming and numbering scheme to malware specimens.
The vast majority of vulnerabilities cataloged within the enumeration refer to software flaws in specific network service software and client-side applications. They focus on the exact vulnerabilities in particular products themselves, and not a description of the classes of vulnerabilities. That is, instead of explaining how buffer overflows generally work, CVE inventories thousands of examples of real buffer-overflow flaws. The list does include a significant number of application attacks, but only against specific applications, such as certain widely used ecommerce packages, enterprise resource planning (ERP) tools, database environments and groupware products. CVE doesn't focus on the description of Web application attacks, like cross-site scripting (XSS), SQL injection and session cloning. Instead, as you might expect, it includes specific examples of those kinds of vulnerabilities in widely used software, such as specific Apache modules, PHP scripts, commercial ecommerce software and so forth.
Here's the rub: a lot of Web application software is home-grown, with organizations rolling their own applications together to satisfy their business needs and serve their customers. Thus, it's not widely used software, and flaws in it are not included in the CVE. That's not Mitre's fault, though; the list keeps track of software vulnerabilities so that organizations deploying that software can be aware of their flaws. CVE, however, does not address general categories of flaws or vulnerabilities in company-specific Web applications.
- See how some vulnerability scanner results include relevant CVE identification numbers.
- In March, IT professionals said they were disappointed with the Anti-Spyware Coalition's threat-rating system. Some thought it should have a rating system similar to the Common Vulnerabilities and Exposures (CVE).
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Ed Skoudis
At Black Hat 2006, researcher Joanna Rutkowska unveiled a piece of machine-based malware called the Blue Pill. But is it a serious threat to your ... Continue Reading
Wi-Fi on airplanes seems like it will be unavoidable in the future, but what security risks does it pose? In this security threats expert response, ... Continue Reading
There are some rare forms of malware that antivirus software doesn't pick up on, but there are some good tools to remove all sorts of malware. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.