I have been a Microsoft guy since what, 94 or so, but I had to Google Power Pages.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24989

And just now I wonder how long the National Vulnerability Database will remain online. #NVD #CVE #NIST

Top #CWE reasons used in #curl #CVE reports. In the 161 CVEs we have published over 25+ years so far, we have used 59 different CWEs.

The graph shows all CWEs that have been used more than once.

Apparently I am getting one more #CVE this year, and this one is kind of cool :)

Earlier this year, I found a critical vulnerability in the Microsoft Update Catalog (https://catalog.update.microsoft.com ). This is the site where you go to download individual update packages for Microsoft products.

I #redteam for #microsoft and I pulled off that exploit as part of my normal work. Previously Microsoft hasn't issued CVE's for service vulnerabilities, but now as part of the expanded Secure Future Initiative, critical vulnerabilities in Microsoft service get CVE's. I think 9.3/8.4 is the highest CVSS I've ever gotten.

This is a "no action" CVE, because there's nothing for you do to make yourself safer. Microsoft already patched the service.

I don't know if I can say more about the exploit than what's in the official disclosure. You can read that here:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49147

Happy 25th birthday, @CVE_Program

The PSF is a partnered #CVE Numbering Authority (CNA), providing accurate #vulnerability data so Pythonistas can deploy #Python safely. Last year we published a guide on how other Open Source projects can become CNAs and manage their own vulnerabilities!

https://www.cve.org/Media/News/item/blog/2024/10/22/CVE-Program-Celebrates-25-Years

What are they thinking, releasing a bug without a logo.

https://go.theregister.com/feed/www.theregister.com/2024/09/26/unauthenticated_rce_bug_linux/

A 9.9 #CVE in #Linux. Heartbleed was 7.5. Holy hell. https://news.ycombinator.com/item?id=41658067 #Security

#CVE is broken. Irreparably busted.

I know folks see these stats all the time now, but i needed to process some 2024 data for a thing and there's no way that backlog is going to be handled cleanly/responsibly.

Perhaps it's a good things vendors are their own CNAs now so they can hide more vulns from everyone and not contribute to this backlog?

We need metrics to figure out which #CVE matter

There is a group of people screaming we should just fix all the vulnerabilities by upgrading everything constantly (it seem obvious these people have never actually maintained software for more than 3 months)

Without a way to prioritize fixes, we can't move from this "fix all the criticals in one Scaramucci"

This is probably why #EPSS is getting so much attention. It's the least terrible scoring system we have at the moment

The number of CNAs over time (#CVE Numbering Authorities). At 385 right now. Over 20,000 CVEs published in the first half of 2024.

From the "CVE Program and CNA Quarterly Report"

ICYMI: AlmaLinux OS 9 was impacted by a newly disclosed vulnerability in OpenSSH on Linux systems.

We're committed to delivering patches to our users quickly. The decision to build the update and push the package to production without waiting for a CentOS Stream or RHEL update was made by our technical steering committee, ALESCo.

The patch for #CVE-2024-6409 has been released and is available for AlmaLinux OS 9 users: https://almalinux.org/blog/2024-07-09-cve-2024-6409/ #OpenSource #Linux

Interesting how #CVE are leveraged as resume items, putting #programmers #developers & project leads under pressure by #bogus CVE reports or unnecessary high CVE ratings.

Popular and obscure programs are affected in the #OpenSource #POSIX world e.g #Linux #freeBSD #netBSD #openBSD

#Curl by #Daniel #Stenberg and #IP by #Fedor #Indutny are popular programs hit by this #phenomena which can lead to unwarranted #panic in the users space

https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/

Achievement unlocked - Got a minor credit in a CVE.

mcphail wrote:

"I recently found a bug in Snap, a package manager for Ubuntu and other Linux distributions, which allows the snap to escape the sandbox and run arbitrary code (as the user) if the home permission is set. This exploit could be run on a vanilla install of Ubuntu and was patched in commit aa191f9 on 13th March 2024."

https://gld.mcphail.uk/posts/explaining-cve-2024-1724/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1724

While talking to @kurtseifried today we realized the company #NIST just hired to work on #NVD, Analygence, is also helping #CISA work on #Vulnrichment

I'm starting to wonder if #CISA should just take #CVE, #NVD, and everything else in house instead of this current web of madness

Vulnrichment is already way easier to interact with than #NVD or #CVE ever was. They use GitHub, accept PRs and issues, and actually respond in a timely manner

NIST turns to IT consultants to clear National Vulnerability Database backlog

"According to the agency's statement last week, it hopes to reach its pre-February processing rate of CVEs within the next few months. NIST predicted it should be caught up and back to processing current CVEs by the end of the fiscal year."

https://www.theregister.com/2024/06/03/nist_cve_backlog/

I'm taking part in a webinar at work tomorrow. At some point before then, I need to stop fiddling with the slides!

But I can't stop re-aligning things, tweaking the colours, or changing logos.

https://get.anchore.com/adapting-to-new-normal-at-nvd-anchore-vulnerability-feed/

Just made CVE info and Fediverse posts collapsible on https://cvecrowd.com.

Going live in a few minutes. Hope you like it!

Put yourself in Jia Tan's shoes, the malicious contributor to the xz backdoor...

It's been, what, two... three?... years since you started this campaign. You've had the entire support of your team and of your chain of command.

Your coders created a complex and sublime backdoor. A secure! backdoor that only you and your team could connect to. Heck it can even be deleted remotely. This is clean code. A responsible hack that doesn't open up the backdoor for others to hijack.

You spend years on your long con - your social engineering skills are at the top of the game. You've ingratiated yourself painstakingly into multiple teams. Finally it all pays off and you're ready to go!

You succeed multiple times in getting your backdoor inserted in all the major Linux distributions!!! Now its just a matter of weeks before it makes it to production and stable releases!

This is the culmination of years of labor and planning and of a massive team and budget.

You did good.

This will get you promoted. Esteemed by your colleagues and leadership alike. Your spouse and kids will understsnd why you haven't been at home lately and why you've spent all those late nights at the office.

It's finally going to pay off.

But what's this?! Some rando poking around in their box running a pre-release unstable version of linux has found everything?!?! It's all being ripped down?! And on a Friday before a western holiday weekend?!?!

Fuck. Fuck. FUCK!!!

Three years for nothing!!! My wife is going to leave me! I missed my kid's recital for this!!! They'll hate me because I told them it was worth it. Daddy will be able to play with you again once Daddy finishes this last bit of work. But it was all for nothing!!!

Leadership took a big risk on me and my team but I kept assuring them it would pay off!

It would be one thing if another nation state found it and stopped it. But one random dude poking his nose where it shouldn't belong?! Ohhh fuck, I'm going to be fired. We're going to lose our budget. My team is going to be fired. I've let down everyone that ever believed in me and supported me and relied on me!

Oh fuck!!!

Admins on Monday be like…

Just a professional tip to the xz maintainer who put the backdoor in...

...might wanna go to ground, lol. Hopefully you're working for a government sponsored APT and you can get some safe haven.

A lot of folks are going to be looking for your head.

(Edit to include: Here's hoping it wasn't extortion. They'll probably hang out you to dry. Shit sandwich all around.)