From: CVE Announce List (cvemitre.org)
Date: Mon May 15 2006 - 10:26:51 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Welcome to the latest edition of the CVE-Announce e-newsletter. This
email newsletter is designed to bring recent news about CVE, such as new
versions, upcoming conferences, new Web site features, etc. right to
your emailbox. Common Vulnerabilities and Exposures (CVE) is the
standard for information security vulnerability names. CVE content
results from the collaborative efforts of the CVE Editorial Board, which
is comprised of leading representatives from the information security
community. Details on subscribing (and unsubscribing) to the email
newsletter are at the end. Please feel free to pass this newsletter on
to interested colleagues.

Comments: cvemitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/May 15, 2006
-------------------------------------------------------

Contents:

1. Feature Story
2. HOT TOPIC
3. Also in this Issue
4. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

CVE Names Included in Spring Update of "SANS Top Twenty" List of
Internet Security Threats

The "2006 Spring Update" to the "Twenty Most Critical Internet Security
Vulnerabilities," a SANS/FBI consensus list of the most critical problem
areas in Internet security, was released on May 1, 2006 and includes an
additional 55 CVE names. The full list now includes 296 CVE names.
According to the SANS Web site, this latest update of the Top Twenty
"enables cyber security professionals to tune their defensive systems to
reflect the most important new vulnerabilities that attackers are
exploiting to take over computers and steal sensitive or valuable
information." The list includes CVE names with both entry and candidate
status to uniquely identify the vulnerabilities it describes. This will
help system administrators use CVE-compatible products and services to
help make their networks more secure.

The spring update lists eight major trends: (1) rapid growth in critical
vulnerabilities being discovered in Mac OS/X including a zero-day
vulnerability; (2) substantial decline in the number of critical
vulnerabilities in Windows Services, offset by flaws in client-side
software; (3) continuing discovery of multiple zero-day vulnerabilities
in Internet Explorer; (4) rapid growth in critical Firefox and Mozilla
vulnerabilities; (5) surge in commodity zero-day attacks used to
infiltrate systems for profit motives; (6) rapid growth in three types
of critical vulnerabilities (Oracle, Veritas Back-Up and SQL Injection
attacks) allowing direct access to databases, data warehouses, and
backup data; (7) continuing surge in file-based attacks, especially
using media and image files, Microsoft Excel files, etc.; and (8) a
rapid spread of spear-phishing attacks especially among defense and
nuclear energy sites.

SANS is a member of the CVE Editorial Board and its education and
training materials are listed in the CVE-Compatible Products and
Services section at http://cve.mitre.org/compatible/.

LINKS:

SANS Top Twenty '2006 Spring Update' -
http://www.sans.org/top20/2005/spring_2006_update.php

CVE List - http://cve.mitre.org/cve

---------------------------------------------------------------
HOT TOPIC:

Second Draft of Common Weakness Enumeration (CWE) Now Available

The second draft of CWE has been posted on the CWE List page on the CVE
Web site. Changes include (1) cleaning up the names of the current
elements, and (2) full expansion of the current elements using
additional the content from PLOVER, Seven Pernicious Kingdoms, and
CLASP.

CWE is a community-developed formal list of common software weaknesses,
idiosyncrasies, faults, and flaws. The intention of CWE is to serve as a
common language for describing software security vulnerabilities, a
standard measuring stick for software security tools targeting these
vulnerabilities, and as a baseline standard for vulnerability
identification, mitigation, and prevention efforts. Broad community
adoption of CWE will help shape and mature the code security assessment
industry and also dramatically accelerate the use and utility of
software assurance capabilities for organizations in reviewing the
software systems they acquire or develop.

Our next step in building CWE involves gathering data about weaknesses
from ten tool and knowledge sources and then merging this new data into
the current list to create a third draft. We welcome any comments about
CWE at cwemitre.org.

LINK:

CWE - http://cve.mitre.org/cwe/index.html

-----------------------------------------------------------------
ALSO IN THIS ISSUE:

* CVE Presents Briefing at DOD "System and Software Technology
   Conference" on May 4th

* CWE Main Topic of Briefing at DOD "System and Software Technology
   Conference" on May 4th

* CVE Presents Briefing at "GFIRST National Conference 2006" on May 3rd

* 603 CVE Names with Candidate Status Added to CVE List in April

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: Steve Christey, Information Security Technical Center.
Writer: Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE
and provides impartial technical guidance to the CVE Editorial Board on
all matters related to ongoing development of CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new email
message and copy the following text to the BODY of the message "SIGNOFF
CVE-Announce-list", then send the message to: listservlists.mitre.org.
To subscribe, send an email message to listservlists.mitre.org with the
following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".

Copyright 2006, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cvemitre.org.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]