Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gov't.-published List of Computer Security Holes

Posted by timothy on from the benefitting-the-commonwealth dept.

Arngautr writes "ScienceDaily.com reports that The U.S. government has created a 'comprehensive database of computer vulnerabilities,' The National Vulnerability Database. Updated daily, it currently includes almost 12,000 vulnerabilities. Should be a boon to IT professionals and script kiddies alike."

25 comments

  1. This might actually be useful by Anonymous Coward · · Score: 4, Interesting

    The first thing that caught me eye on there was "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges."

    And guess which version of Tar is GNU's latest.

    Anyway, I can't believe I'm saying this, but thanks US Gov!

    1. Re:This might actually be useful by Captain+BooBoo · · Score: 1

      Sure its useful...everything the government puts out is "useful" in some way or another. Personally I like the idea. The question is when will the site be hacked.

    2. Re:This might actually be useful by nocomment · · Score: 1

      Ya the only way it could be any better is if they said which vulns actually had known exploits with links to the source. For, you know, testing purposes.

      --
      /* oops I accidentally made a comment, sorry */
      /* http://allyourbasearebelongto.us */
    3. Re:This might actually be useful by MobyDisk · · Score: 2, Interesting
      Granted, it would be a nice feature, but why would you run tar as root to install something into a globally readable folder without full knowing what it is extracting? And why is it tar's job to tell you that this is a bad idea?
      which may allow local users or remote attackers to gain privileges."
      A better way to say that is that you are giving local users or remote attackers priveledges. This is very different from a buffer overflow.
  2. Which is it? by base3 · · Score: 1
    From the posting: Should be a boon to IT professionals and script kiddies alike.

    Are we for full disclosure or security through obscurity? Let's decide which and be consistent, please.

    --
    One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
    1. Re:Which is it? by CDarklock · · Score: 1

      But we ARE consistent. We consistently make no value judgements on which side of the security fence is the "right" side.

      --
      Microsoft cheerleader, blue flag waving, you got a problem with that?
    2. Re:Which is it? by superpulpsicle · · Score: 1

      Unfortunately the judgement is based on $$$.

  3. Next step... by Anonymous Coward · · Score: 0

    Outlaw any *other* lists of vulnerabilities. After all, Big Brother loves you. To believe the lies of any other unofficial vulnerability lists would be UnAmerican. You don't want to be UnAmerican, do you, citizen?

    1. Re:Next step... by TheCreeep · · Score: 1, Interesting

      I ran a couple of searches search:
      "windows"
      There are 767 matching records.
      "linux"
      There are 1055 matching records.
      My guess is that they missed some bugs :/

    2. Re:Next step... by Ingolfke · · Score: 2, Insightful

      My guess is that they missed some bugs :/

      The list is no doubt not absolutely complete... but you could easily attribute the difference in the # of vulnerabilities between Windows and Linux to the the fact that Linux is Open Source, and therefore more people are participating in the debugging process. Or it could be that Windows really does have fewer vulnerabilities than Windows. Of course that doesn't mean that the vulnerabilities that it does have are less impactful than those on Linux.

    3. Re:Next step... by Muad'Dave · · Score: 1


      "microsoft" returns 1127 hits.

      --
      Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
    4. Re:Next step... by TheCreeep · · Score: 0

      ... and the fact that some vulnerabilities turned up in a "linux" search even though they don't refer to the kernel. For example "the Linux Progect Hartbeat" or "Adobe Reader on Linux, Solaris, HP-UX, and AIX". But then not all "windows" vulnerabilities refer to the OS. So mod parent's parrent inconsistent :).

    5. Re:Next step... by Muad'Dave · · Score: 1


      "XP" returns 914.

      --
      Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
    6. Re:Next step... by Chaotic+Spyder · · Score: 1

      OOPS..

      Or it could be that Windows really does have fewer vulnerabilities than Windows

      Maybe "Or it could be that Linux really does have fewer vulnerabilities than Windows"

      --
      Losers whine about their best, Winners go home to fuck the prom queen
    7. Re:Next step... by It+doesn't+come+easy · · Score: 2, Informative

      It depends on the search criteria. The initial page doesn't tell you what it's doing. If you use the "Advanced Search" plage, and select for the Vendor, you get:
      Linux = 942
      Microsoft = 1097

      I'm not sure who the Linux vendor is. :)

      Then, if you search by remotely executable and high vulnerability, you get:
      Linux = 232
      Microsoft = 376

      If you add "allows admin access" you get:
      Linux = 110
      Microsoft = 62

      So, expect to see all sorts of statistics to prove one way or the other that both Windows and Linux are the more secure system. Should be fun.

      One thing that might be interesting is to compare similar products to see who has the most and the worst vulnerabilities (especially if you are about to buy something).

      --
      The NSA: The only part of the US government that actually listens.
    8. Re:Next step... by NemoX · · Score: 2, Interesting

      But, this compares a platform (consisting of many companies with many producst) to one company (with many products).

      Try the advanced search and compare O/S to O/S...which yields:

      Windows XP: 139
      SuSE Linux 9.3: 8

    9. Re:Next step... by It+doesn't+come+easy · · Score: 1

      True. No doubt everyone will create their own way to slice and dice this search engine. You know what the say about statistics...

      --
      The NSA: The only part of the US government that actually listens.
  4. Unknown bug by TheCreeep · · Score: 4, Funny
    CAN-2005-1767 Summary: Unknown vulnerability in the Linux kernel 2.6.x and 2.4.x allows local users to cause a denial of service (stack fault exception) via unknown attack vectors. Published: 8/5/2005 Severity: Medium

    "I don't know where, I don't know how, but there's a bug in your kernel!"
  5. What, no RSS Feed? by Anonymous Coward · · Score: 1, Insightful

    My compliments to the U.S. Government for having the database, and having it be populated with current information.

    However, the whole thing is a bit 2002 in approach. Please add an RSS feed so that I can scan what's changed since I last looked at it.

    Yours,
    Sysadmin

    1. Re:What, no RSS Feed? by Arctic+Dragon · · Score: 1

      You mean this RSS feed?

    2. Re:What, no RSS Feed? by Anonymous Coward · · Score: 0

      Aah. Thanks. I didn't notice that tiny little RSS feed icon on the bottom left.

      I just naturally expect the web page to provide some sort of LINK REL="alternate" HTML tag so that my browser knows about it.

  6. SUMMARY: by Jeremiah+Cornelius · · Score: 1

    Hey! It's CVE with an RSS feed!

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  7. Full disclosure ? by darthgnu · · Score: 1

    I'm sure the NSA still keeps the most juicy security bugs for itself for "defending" against "cyberterrorism". I am willing to bet they would be willing to use these unvoluntary backdoors to bring down criminal organizations. Hopefully, all this information is in the hands of "good".

    --
    Freedom is strength, Ignorance is peace, War is slavery.
    1. Re:Full disclosure ? by 3waygeek · · Score: 1

      Well, they are about 200 years ahead of the rest of the world in mathematical theory, so you just might be onto something.

  8. bait? by Anonymous Coward · · Score: 0
    Should be a boon to IT professionals and script kiddies alike.

    heh. i wonder if this was also intended to be bait for the script kiddies.

    1. watch whos digging around in their huge vuln database

    2. start tracking and surveilaing those folks, looking for skript kiddie worm writers

    3. ???

    4. profit