Vulnerability Analysis Publications

Why Cybersecurity Is Not Like the Immune System
The idea of a cyber-immune system sometimes circulates through the community, but it seems that such proposals either do not properly frame how the immune system works, how good computer security would work, or both. In this blog post, Jonathan Spring puts both ides in context in order to make clear why cybersecurity is not like the immune system, but why it would be nice if it were.

Observations of Successful Cyber Security Operations
In this 2013 webinar, Roman Danyliw discusses how cyber security organizations react to new technologies or adversaries.

Well There's Your Problem: Isolating the Crash-Inducing Bits in a Fuzzed File
In this 2012 report, Allen Householder describes an algorithm for reverting bits from a fuzzed file to those found in the original seed file to recreate the crash.

Probability-Based Parameter Selection for Black-Box Fuzz Testing
In this 2012 report, the authors describe an algorithm for automating the selection of seed files and other parameters used in black-box fuzz testing.

Vulnerability Detection in ActiveX Controls Through Automated Fuzz Testing
In this 2008 paper, the authors explore results of a test of a large number of Active X controls, which provides insight into the current state of ActiveX security.

  • 2011

  • 09/01/2011 2010 CERT Research Report In this 2010 report, the authors highlight CERT Division 2010 accomplishments and activities in successfully executing its research strategy.
  • 2005

  • 12/01/2005 Botnets as a Vehicle for Online Crime In this paper, the authors describe the capabilities present in bot malware and the motivations for operating botnets.
  • 06/01/2005 Spyware In this 2005 paper, the authors give an overview of spyware, provide examples of common threats, and describe how to defend against spyware.
  • 05/01/2005 Technical Trends in Phishing Attacks In this paper, Jason Milletary identifies technical capabilities used to conduct phishing scams, reviews trends, and discusses countermeasures.
  • 01/03/2005 2005 CERT Research Report In this 2005 report, the authors summarize CERT research conducted in fiscal year 2005.
  • 01/01/2005 A Structured Approach to Classifying Security Vulnerabilities In this 2005 report, the authors propose a classification scheme that uses attribute-value pairs to provide a multidimensional view of vulnerabilities.
  • 1995

  • 12/31/1995 1995 CERT Advisories Description: This document contains the CERT advisories from 1995.
  • 08/15/2017 The CERT Guide to Coordinated Vulnerability Disclosure We are happy to announce the release of the CERT® Guide to Coordinated Vulnerability Disclosure (CVD). The guide provides an introduction to the key concepts, principles, and roles necessary to establish a successful CVD process. It also provides insights into...
  • 10/05/2016 Announcing CERT Basic Fuzzing Framework Version 2.8 Today we are announcing the release of the CERT Basic Fuzzing Framework Version 2.8 (BFF 2.8). It's been about three years since we released BFF 2.7. In this post, I highlight some of the changes we've made....
  • 08/02/2016 The Risks of Google Sign-In on iOS Devices The Google Identity Platform is a system that allows you to sign in to applications and other services by using your Google account. Google Sign-In is one such method for providing your identity to the Google Identity Platform. Google Sign-In...
  • 06/06/2016 Visualizing CERT BFF String Minimization I've been working on a presentation called CERT BFF - From Start to PoC. In the process of preparing my material, I realized that a visualization could help people understand what happens during the BFF string minimization process....
  • 05/30/2016 Situational Analysis, Software Architecture, Insider Threat, Threat Modeling, and Honeynets: The Latest Research from the SEI As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports, white papers, webinars, and podcasts. These publications highlight the latest work of...
  • 05/23/2016 Vehicle Cybersecurity: The Jeep Hack and Beyond This blog post was co-authored by Dan Klinedinst. Automobiles are often referred to as "computers on wheels" with newer models containing more than 100 million lines of code. All this code provides features such as forward collision warning systems and...
  • 05/18/2016 When Is a Vulnerability a Safety Issue? As you may have read in a previous post, the CERT/CC has been actively researching vulnerabilities in the connected vehicles. When we began our research, it became clear that in the realm of cyber-physical systems, safety is king. For regulators,...
  • 05/09/2016 10 At-Risk Emerging Technologies In today's increasingly interconnected world, the information security community must be prepared to address vulnerabilities that may arise from new technologies. Understanding trends in emerging technologies can help information security professionals, leaders of organizations, and others interested in information security...
  • 04/20/2016 On Board Diagnostics: Risks and Vulnerabilities of the Connected Vehicle We worked with DHS US-CERT and the Department of Transportations' Volpe Center to study aftermarket on-board diagnostic (OBD-II) devices to understand their cybersecurity impact on consumers and the general public....
  • 03/11/2016 Vulnerability IDs, Fast and Slow The CERT/CC Vulnerability Analysis team has been engaged in a number of community-based efforts surrounding Coordinated Vulnerability Disclosure lately. I've written previously about our involvement in the NTIA Multistakeholder Process for Cybersecurity Vulnerabilities. Today I'll highlight our ongoing work in...
  • 03/08/2016 How to Win Friends and Coordinate a Vulnerability The CERT/CC Vulnerability Analysis team for nearly 30 years now has provided assistance for coordinated vulnerability disclosure (CVD). In a nutshell, we help security researchers communicate with software vendors to resolve security issues, and we get that information in the...
  • 01/27/2016 Coordinating Vulnerabilities in IoT Devices The CERT Coordination Center (CERT/CC) has been receiving an increasing number of vulnerability reports regarding Internet of Things devices and other embedded systems. We've also been focusing more of our own vulnerability discovery work in that space. We've discovered that...
  • 11/05/2015 E Pluribus, Que? Identifying Vulnerability Disclosure Stakeholders On September 29, Art Manion and I attended the first meeting of the Multistakeholder Process for Cybersecurity Vulnerabilities initiated by the National Telecommunications and Information Administration (NTIA), part of the United States Department of Commerce. There has been ample coverage...
  • 09/02/2015 CVSS and the Internet of Things There has been a lot of press recently about security in Internet of Things (IoT) devices and other non-traditional computing environments. Many of the most talked about presentations at this year's Black Hat and DefCon events were about hacking IoT...
  • 08/20/2015 Recent Conference Presentations by the Vulnerability Analysis Team A number of us on the Vulnerability Analysis team have been out and about giving talks at various conferences recently. This post provides links to the presentation slides, related blog posts, and the videos where available....
  • 08/06/2015 Reach Out and Mail Someone Every day, we receive reports from various security professionals, researchers, hobbyists, and even software vendors regarding interesting vulnerabilities that they discovered in software. Vulnerability coordination--where we serve as intermediary between researcher and vendor to share information, get vulnerabilities fixed, and...
  • 07/22/2015 Comments on BIS Wassenaar Proposed Rule Art Manion and I recently submitted comments to the Department of Commerce Bureau of Industry and Security on their proposed rule regarding Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items. While our detailed comments are lengthy, we summarize...
  • 07/07/2015 Like Nailing Jelly to the Wall: Difficulties in Defining "Zero-Day Exploit" During the Watergate hearings, Senator Howard Baker asked John Dean a now-famous question: "My primary thesis is still: What did the president know, and when did he know it?" If you understand why that question was important, you have some...
  • 04/06/2015 Top 10 CERT/CC Blog Posts on Vulnerabilities and SSL Tools In 2014, approximately 1 billion records of personably identifiable information were compromised as a result of cybersecurity vulnerabilities. In the face of this onslaught of compromises, it is important to examine fundamental insecurities that CERT researchers have identified and that...
  • 03/13/2015 The Risks of SSL Inspection Recently, SuperFish and PrivDog have received some attention because of the risks that they both introduced to customers because of implementation flaws. Looking closer into these types of applications with my trusty CERT Tapioca VM at hand, I've come to...
  • 01/06/2015 What's Different About Vulnerability Analysis and Discovery in Emerging Networked Systems? Hi folks, Allen Householder here. In my previous post, I introduced our recent work in surveying vulnerability discovery for emerging networked systems (ENS). In this post, I continue with our findings from this effort and look at the differences between...
  • 12/15/2014 Vulnerability Coordination and Concurrency Modeling Hi, it's Allen. In addition to building fuzzers to find vulnerabilities (and thinking about adding some concurrency features to BFF in the process), I've been doing some work in the area of cybersecurity information sharing and the ways it can...
  • 11/20/2014 Vulnerability Discovery for Emerging Networked Systems Hi folks, Allen Householder here. I want to introduce some recent work we're undertaking to look at vulnerability discovery for emerging networked systems (including cyberphysical systems like home automation, networked cars, industrial control systems and the like). In this post...
  • 09/03/2014 Finding Android SSL Vulnerabilities with CERT Tapioca Hey, it's Will. In my last blog post, I mentioned the release of CERT Tapioca, an MITM testing appliance. CERT Tapioca has a range of uses. In this post, I describe one specific use for it: automated discovery of SSL...
  • 08/21/2014 Announcing CERT Tapioca for MITM Analysis Hi folks, it's Will. Recently I have been investigating man-in-the-middle (MITM) techniques for analyzing network traffic generated by an application. In particular, I'm looking at web (HTTP and HTTPS) traffic. There are plenty of MITM proxies, such as ZAP, Burp,...
  • 05/12/2014 Heartbleed: Q&A The Heartbleed bug, a serious vulnerability in the Open SSL crytographic software library, enables attackers to steal information that, under normal conditions, is protected by the Secure Socket Layer/Transport Layer Security(SSL/TLS) encryption used to secure the internet. Heartbleed and its...
  • 05/05/2014 Secure Coding to Prevent Vulnerabilities Software developers produce more than 100 billion lines of code for commercial systems each year. Even with automated testing tools, errors still occur at a rate of one error for every 10,000 lines of code. While many coding standards address...
  • 02/23/2014 A New Approach to Cyber Incident Response According to a report issued by the Government Accountability Office (GAO) in February 2013, the number of cybersecurity incidents reported that could impact "federal and military operations; critical infrastructure; and the confidentiality, integrity, and availability of sensitive government, private sector,...
  • 02/17/2014 Taking Control of Linux Exploit Mitigations Hey, it's Will. In my last two blog entries, I looked at aspects of two exploit mitigations (NX and ASLR) on the Linux platform. With both cases, Linux left a bit to be desired. In this post, I will explain...
  • 02/10/2014 Differences Between ASLR on Windows and Linux Hi folks, it's Will again. In my last blog entry, I discussed a behavior of NX on the Linux platform. Given that NX (or DEP as it's known on the Windows platform) and Address Space Layout Randomization (ASLR) work hand-in-hand,...
  • 02/03/2014 Feeling Insecure? Blame Your Parent! Hey, it's Will. I was recently working on a proof of concept (PoC) exploit using nothing but the CERT BFF on Linux. Most of my experience with writing a PoC has been on Windows, so I figured it would be...
  • 11/26/2013 Hacking the CERT FOE Hey folks, it's Will. Every now and then I encounter an app that doesn't play well with FOE. You don't have to throw your hands up in defeat, though. Because FOE (and BFF) are written in Python, it's pretty easy...
  • 11/14/2013 Prioritizing Malware Analysis Hi, this is Jose Morales, researcher in the CERT:CES team. In early 2012, a backdoor Trojan malware named Flame was discovered in the wild. When fully deployed, Flame proved very hard for malware researchers to analyze. In December of that...
  • 10/24/2013 Analyzing Routing Tables Hi, Timur Snoke here with a description of maps I've developed that use Border Gateway Protocol routing tables to show the evolution of public-facing autonomous system numbers. Organizations that route public internet protocol (IP) addresses receive autonomous system numbers (ASNs),...
  • 10/23/2013 BFF 2.7 on OS X Mavericks Hi folks, it's Will. Apple has released OS X Mavericks. Because BFF 2.7 was released before Mavericks, BFF doesn't work right out of the box. But it's actually quite simple to get it working....
  • 10/01/2013 Vulnerabilities and Attack Vectors Hi, this is Will Dormann of the CERT Vulnerability Analysis team. One of the responsibilities of a vulnerability analyst is to investigate the attack vectors for potential vulnerabilities. If there isn't an attack vector, then a bug is just a...
  • 09/30/2013 Attaching the Rocket to the Chainsaw - Behind the Scenes of BFF and FOE's Crash Recycler Hi folks, Allen Householder here. As Will Dormann's earlier post mentioned, we have recently released the CERT Basic Fuzzing Framework (BFF) v2.7 and the CERT Failure Observation Engine (FOE) v2.1. To me, one of the most interesting additions was the...
  • 09/24/2013 Signed Java Applet Security Improvements Hi folks, it's Will Dormann. A few months ago I published a blog entry called Don't Sign that Applet! that outlined some concerns with Oracle's guidance that all Java applets should be signed. The problem is that with Java versions...
  • 09/23/2013 One Weird Trick for Finding More Crashes Hi folks. It's Will Dormann from the CERT Vulnerability Analysis team. Today we're announcing the release of updates to both of our fuzzing tools, the CERT Basic Fuzzing Framework (BFF) version 2.7 and the CERT Failure Observation Engine (FOE) version...
  • 09/23/2013 One Weird Trick for Finding More Crashes Hi folks. It's Will Dormann from the CERT Vulnerability Analysis team. Today we're announcing the release of updates to both of our fuzzing tools, the CERT Basic Fuzzing Framework (BFF) version 2.7 and the CERT Failure Observation Engine (FOE) version...
  • 09/13/2013 Practical Math for Your Security Operations - Part 2 of 3 Hi, this is Vijay Sarvepalli, Security Solutions Engineer in the CERT Division again. In my earlier blog post, I offered some ideas for applying set theory in your SOC (Security Operations Center). This time I introduce you to statistics, specifically...
  • 08/15/2013 Mining Ubuntu for Interesting Fuzz Targets Hello, Jonathan Foote here. In this post I'll explain how to use information from databases in stock Ubuntu systems to gather the parameters needed to perform corpus distillation (gathering of seed inputs) and fuzzing against the installed default file type...
  • 08/15/2013 Domains That Are Typos of Other Domains Hello, this is Jonathan Spring. I've been investigating the usage of domains that are typos of other domains. For example, foogle.com is a typo of google.com, and it's a common one since 'f' is next to 'g' on the standard...
  • 08/08/2013 Tempering the Vulnerability Hype Cycle with CVSS Hi everyone, it's Todd Lewellen. Today, I want to discuss how quantitative vulnerability metrics, like the Common Vulnerability Scoring System (CVSS), can help to develop a more accurate understanding of a vulnerability's severity....
  • 08/06/2013 Practical Math for Your Security Operations - Part 1 of 3 Hi, this is Vijay Sarvepalli, Security Solutions Engineer in the CERT Division. Mathematics is part of your daily tasks if you're a security analyst. In this blog post series, I'll explore some practical uses of math in your SOC (Security...
  • 07/08/2013 Forensics Software and Oracle Outside In Hi, it's Will. In this post I will discuss the risks of using forensics software to process untrusted data, as well as what can be done to mitigate those risks....
  • 06/04/2013 The Risks of Microsoft Exchange Features that Use Oracle Outside In The WebReady and Data Loss Prevention (DLP) features in Microsoft Exchange greatly increase the attack surface of an Exchange server. Specifically, Exchange running on Windows Server 2003 is particularly easy to exploit. It's public knowledge that Microsoft Exchange uses Oracle...
  • 05/08/2013 Keep Calm and Deploy EMET CVE-2013-1347, the Internet Explorer 8 CGenericElement object use-after-free vulnerability has gotten a lot of press lately because it was used in a "watering hole" attack against several sites....
  • 04/30/2013 Don't Sign that Applet! Hi, it's Will. I've recently been looking into the state of signed Java applet security. This investigation was triggered by the Oracle blog post IMP: Your Java Applets and Web Start Applications Should Be Signed, which as the title implies,...
  • 04/30/2013 Don't Sign that Applet! Hi, it's Will. I've recently been looking into the state of signed Java applet security. This investigation was triggered by the Oracle blog post IMP: Your Java Applets and Web Start Applications Should Be Signed, which as the title implies,...
  • 03/11/2013 Watching Domains That Change DNS Servers Frequently Hello, this is Leigh Metcalf of the CERT Network Situational Awareness (NetSA) Team. Timur Snoke and I have discovered some interesting results in our continuing examination of the public Domain Name System (DNS). Our work has been focusing on domains...
  • 01/10/2013 Java in Web Browser: Disable Now! Hi, it's Will and Art here. We've been telling people to disable Java for years. In fact, the first version of the Securing Your Web Browser document from 2006 provided clear recommendations for disabling Java in web browsers. However, after...
  • 12/05/2012 Forking and Joining Python Coroutines to Collect Coverage Data In this post I'll explain how to expand on David Beazley's cobroadcast pattern by adding a join capability that can bring multiple forked coroutine paths back together. I'll apply this technique to create a modular Python script that uses gcov,...
  • 11/05/2012 A Look Inside CERT Fuzzing Tools Hi, this is Allen Householder of the CERT Vulnerability Analysis team. If you've been following this blog for a while, you are probably familiar with our fuzzing tools: Dranzer, the CERT Basic Fuzzing Framework (BFF), and the CERT Failure Observation...
  • 10/25/2012 Updates to CERT Fuzzing Tools (BFF 2.6 & FOE 2.0.1) Hi everybody. Allen Householder from the CERT Vulnerability Analysis team here, back with another installment of "What's new in CERT's fuzzing frameworks?" Today we're announcing the release of updates of both our fuzzing tools, the CERT Basic Fuzzing Framework (BFF)...
  • 09/05/2012 Java 7 Attack Vectors, Oh My! While researching how to successfully mitigate the recent Java 7 vulnerability (VU#636312, CVE-2012-4681), we (and by "we" I mean "Will Dormann") found quite a mess. In the midst of discussion about exploit activity and the out-of-cycle update from Oracle, I'd...
  • 08/29/2012 Java Security Manager Bypass Vulnerability Last Sunday, another major Java vulnerability (VU#636312) was reported. Until an official update is available, we strongly recommend disabling the Java 7 plug-in for web browsers. This vulnerability is bad news, at least for those of us trying to avoid...
  • 07/23/2012 CERT Failure Observation Engine 2.0 Released Hi folks, Allen Householder from the CERT Vulnerability Analysis team here. Back in April, we released version 1.0 of the CERT Failure Observation Engine (FOE), our fuzzing framework for Windows. Today we're announcing the release of FOE version 2.0. (Here's...
  • 07/11/2012 Vulnerability Data Archive With the hope that someone finds the data useful, we're publishing an archive of almost all of the non-sensitive vulnerability information in our vulnerability reports database....
  • 06/06/2012 AMD Video Drivers Prevent the Use of the Most Secure Setting for Microsoft's Exploit Mitigation Experience Toolkit (EMET) Microsoft EMET is an effective way of preventing many vulnerabilities from being exploited; however, systems that use AMD or ATI video drivers do not support the feature that provides the highest amount of protection....
  • 04/30/2012 CERT Basic Fuzzing Framework 2.5 Released Hi folks, Allen Householder here. In addition to the recent introduction of our new Failure Observation Engine (FOE) fuzzing framework for Windows and Linux Triage Tools, we have updated the CERT Basic Fuzzing Framework (BFF) to version 2.5. This post...
  • 04/25/2012 CERT Linux Triage Tools 1.0 Released As part of the vulnerability discovery work at CERT, we have developed a GNU Debugger (GDB) extension called "exploitable" that classifies Linux application bugs by severity. Version 1.0 of the extension is available for public download here. This blog post...
  • 04/23/2012 CERT Failure Observation Engine 1.0 Released In May 2010, CERT released the Basic Fuzzing Framework, a Linux-based file fuzzer. We released BFF with the intent to increase awareness and adoption of automated, negative software testing. An often-requested feature is that BFF support the Microsoft Windows platform....
  • 04/12/2012 Vulnerability Severity Using CVSS If you analyze, manage, publish, or otherwise work with software vulnerabilities, hopefully you've come across the Common Vulnerability Scoring System (CVSS). I'm happy to announce that US-CERT Vulnerability Notes now provide CVSS metrics....
  • 01/05/2012 CNAME flux Hello this is Jonathan Spring. Recently, Leigh Metcalf and I uncovered some interesting results in our continuing work on properties of the Domain Name System (DNS). Our work involves an unconventional use of CNAME (canonical name) records. Besides an IP...
  • 06/09/2011 Signed Java and Cisco AnyConnect A few years ago, I published a blog entry called Signed Java Applet Security: Worse than ActiveX? In that entry, I explained the problems that arise when a vulnerability is discovered in a signed Java applet. Let's see how the...
  • 05/19/2011 Effectiveness of Microsoft Office File Validation Microsoft recently released a component for Office called Office File Validation that is supposed to help protect against attacks using malformed files. Because I recently performed file fuzzing tests on Microsoft Office, I decided to test the effectiveness of Office...
  • 04/23/2011 A Security Comparison: Microsoft Office vs. Oracle Openoffice Recently, Dan Kaminsky published a blog entry that compared the fuzzing resiliency of Microsoft Office and Oracle OpenOffice. This blog entry contains the results from a similar test that I performed in November 2010. Also included are some other aspects...
  • 02/28/2011 Announcing the CERT Basic Fuzzing Framework 2.0 Version 2.0 of the CERT Basic Fuzzing Framework (BFF) made its debut on Valentine's Day at the 2011 CERT Vendor Meeting in San Francisco. This new edition has a lot of cool features that we'll be describing in more detail...
  • 02/14/2011 "Network Monitoring for Web-Based Threats" Released The CERT Network Situational Awareness (NetSA) team has published an SEI technical report on monitoring web-based threats. The report draws on related work such as OWASP but comes from a different point of view. While OWASP is focused on...
  • 02/11/2011 Blog Reorganization Hi, folks. As you can see, we've changed the name of the Vulnerability Analysis Blog to the CERT/CC Blog. With this name change, we're expanding the focus of the blog to include content from other technical teams. The current RSS...
  • 09/22/2010 CERT Basic Fuzzing Framework Update Hi, folks. We've recently updated the CERT® Basic Fuzzing Framework (BFF). The new BFF 1.1 contains new functionality and improves performance....
  • 08/31/2010 Study of Malicious Domain Names: TLD Distribution Hello, folks. This post comes to you courtesy of Aaron Shelmire from the Network Situational Awareness team. Aaron writes: Recently the Network Situational Awareness team at CERT has been researching the characteristics of malicious network touchpoints. The findings of this...
  • 05/26/2010 CERT Basic Fuzzing Framework Hi folks. I've been involved in a fuzzing effort at CERT. One of the ways that I've been able to discover vulnerabilities is through "dumb" or mutational fuzzing. We have developed a framework for performing automated dumb fuzzing. Today we...
  • 03/05/2010 Top-10 Top Level and Second Level Domains Found in Malicious Software Hello folks. This post comes to you courtesy of Ed Stoner and Aaron Shelmire from the Network Situational Awareness group at CERT. They write: Recently there have been some statistics published on botnet Command & Control (C2) channels. These statistics...
  • 11/13/2009 Plain Text Email in Outlook Express Reading email messages in plain text seems like a reasonable thing to do to improve the security of your email client. Plain text takes less processing than HTML, which should help minimize your attack surface, right? As it turns out,...
  • 10/06/2009 Managing IPv6 - Part 2 Past entries have addressed both securing and disabling IPv6. This entry describes ways that administrators can secure their networks and generate test cases to test those settings....
  • 08/19/2009 Managing IPv6 - Part 1 This entry is the first in a series about securely configuring the IPv6 protocol on selected operating systems. Although this entry focuses on how to disable IPv6, we are not recommending that everyone immediately disable IPv6. However, if critical parts...
  • 07/31/2009 Internet Explorer Kill-Bits The Kill-Bit (or "killbit") is a Microsoft Windows registry value that prevents an ActiveX control from being used by Internet Explorer. More information is available in Microsoft KB article 240797. If a vulnerability is discovered in an ActiveX control or...
  • 07/01/2009 Mitigating Slowloris Slowloris is a denial-of-service (DoS) tool that targets web servers. We have some suggestions about mitigation techniques and workarounds to protect your server. However, use caution if you implement any of these suggestions because they will likely have some unintended...
  • 06/25/2009 Vulnerabilities and Attack Surface Two recent US-CERT Vulnerability Notes describe similar issues in the Adobe Reader and Foxit Reader PDF viewing applications. The vulnerabilities, that both applications failed to properly handle JPEG2000 (JPX) data streams, were discovered as part of our Vulnerability Discovery initiative....
  • 04/16/2009 Release of Dranzer ActiveX Fuzzing Tool Hi, it's Will. As previously mentioned, we have been investigating and discovering ActiveX vulnerabilities over the past few years. Today we released the Dranzer tool that we have developed to test ActiveX controls. We've been using the Dranzer ActiveX fuzz...
  • 04/02/2009 Bypassing Firewalls with IPv6 Tunnels Hello, it's Ryan. We've talked about IPv6 in blog entries and vulnerability notes before. But instead of focusing on IPv6 vulnerabilities, this blog entry will show how functional IPv6 tunneling protocols can be used to bypass IPv4-only firewalls and ACLs....
  • 03/31/2009 Conficker.C: How Many Are There? Hello, Sid Faber from the Network Situational Awareness group at CERT. Like just about everyone else, we've been following the Conficker worm for a while and thought some updated stats on the Conficker.C variant might be useful....
  • 03/13/2009 Windows Installer Application Resiliency Hi, it's Will again. Recently, I was investigating the effectiveness of the workarounds for the Adobe Reader JBIG2 vulnerability, and I encountered an unexpected situation. In certain situations, the application resiliency feature of Windows Installer can actually undo some of...
  • 02/19/2009 Internet Explorer Vulnerability Attack Vectors Hey, it's Will. I noticed that several blogs, including Trend Micro and McAfee, have been talking about the recent attacks on the Internet Explorer 7 vulnerability that was fixed in MS09-002. An interesting thing about these exploits is the attack...
  • 01/09/2009 Reference Implementations for Securing Your Web Browser Guidelines It's Will again, with the first blog entry of 2009. Our Securing Your Web Browser document describes how to make your web browser more secure, but applying all of the necessary changes can be a bit tedious. To make the...
  • 11/20/2008 Recommendations to Vendors for Communicating Product Security Information Hi, this is Chad Dougherty of the Vulnerability Analysis team. One of the important roles that our team plays is coordinating vulnerability information among a broad range of vendors. Over the years, we have gained a considerable amount of experience...
  • 11/07/2008 Filtering ICMPv6 Using Host-Based Firewalls Hey, it's Ryan. This blog entry contains some quick recommendations about filtering certain ICMPv6 types using two host-based firewalls--Linux ip6tables and Microsoft Vista's advfirewall. If you have suggestions or other ideas, let me know....
  • 10/29/2008 Reported Vulnerability in CERT Secure Coding Standards Website Hi, it's Will. Recently, a blog author reported that the CERT® Secure Coding Standards website, which runs on Atlassian Confluence, contained a SQL injection vulnerability. After analyzing the report and discussing it with the Confluence vendor, we have concluded that...
  • 09/12/2008 Ping Sweeping in IPv6 Hello, its Ryan. We've noticed a misconception about IPv6 that is popular on the internet: that IPv6 addresses are hard to ping sweep because there are so many possible addresses. Ping sweeping can lead to port scanning, so this misconception...
  • 09/04/2008 Carpet Bombing and Directory Poisoning Hey, it's Will. Earlier this year, details about "carpet bombing" attacks were released. Apple addressed the issue by prompting users before downloading files, but recent news indicates that Google Chrome, which is based on Apple's WebKit code, is also vulnerable...
  • 07/10/2008 Safely Using Package Managers Hi, it's Ryan. Package managers partially automate the process of installing and removing software packages. Most package managers use cryptographic signatures to verify the integrity of packages. In the article Attacks on Package Managers, the authors describe how an attacker...
  • 07/03/2008 ActiveX Vulnerability Discovery at the CERT/CC Hi, it's Will. Anybody who has been keeping an eye on the US-CERT Vulnerability Notes has probably noticed that I've published a lot of ActiveX vulnerabilities. So it should be no surprise to learn that we have been testing ActiveX...
  • 06/03/2008 Signed Java Applet Security: Worse than ActiveX? Hi, it's Will again. ActiveX vulnerabilities seem to be getting a lot of attention lately. However, Java applets are also a concern. The classic understanding of a Java applet is that it runs in a sandbox in your web browser....
  • 05/29/2008 Is Your Adobe Flash Player Updated? Hey, it's Will. As you may already be aware, there is active exploitation of a vulnerability in Adobe Flash. So, it's a good idea to make sure that you have the latest version of Flash Player, which, at the time...
  • 05/15/2008 Who Has My Cookies? Hi, Ryan Giobbi from the Vulnerability Analysis team making this post. The CERT/CC has been tracking cross-site scripting vulnerabilities for a long time, and the actual vulnerabilities haven't changed much over the years. However, some technology that was developed to...
  • 04/24/2008 The Dangers of Windows AutoRun Hi, this is Will Dormann of the CERT/CC Vulnerability Analysis team. A few months ago, reports of infected digital picture frames hit the media. I was curious about how the malicious code was being executed, so I began investigating the...
  • 04/17/2008 Vulnerability Analysis at the CERT/CC Hi, this is Art Manion, the Vulnerability Analysis team lead at the CERT Coordination Center (CERT/CC). For our first blog entry, I'd like to briefly explain our efforts to reduce software vulnerabilities....

Vulnerability Notes provide timely information about software vulnerabilities. Vulnerability notes include summaries, technical details, remediation information, and lists of affected vendors. Many vulnerability notes are the result of private coordination and disclosure efforts. 

Explore the Vulnerability Notes Database >