Feeds

back to article Downed US vuln catalog infected for at least TWO MONTHS

Adobe's ColdFusion web development software is to blame for the downtime of the US Government's National Vulnerability Database. The malware infected two servers, and caused the National Institute for Standards and Technology to take the NVD database and other US government sites offline on Friday. The servers were compromised …

COMMENTS

This topic is closed for new posts.
Silver badge
Thumb Down

Pah! Adobe!

I assume that if they organise entries alphabetically, then early on in the list of national vulnerabilities will be an entry that simply reads: All Adobe software

5
0
Anonymous Coward

Re: Pah! Adobe!

Noone can beat Adobe for buggy software, but Apple is close second. Must be all those topless cafe bars in San Jose area.

0
2
Anonymous Coward

Re: Pah! Adobe!

but Apple is close second

I must have missed that one. Where does Apple have a problem?

0
1
Anonymous Coward

Re: Pah! Adobe!

You forgot Oracle!

0
0
Anonymous Coward

Re: Pah! Adobe!

Where does Apple have a problem, lol??

For a start, how about the over 400 known security vulnerabilities in IOS versus zero in Windows Phone, or the 1,840 known vulnerabilities in OS-X versus ~450 in even Windows XP?

0
2
Bronze badge

Re: Pah! Adobe!

Adobe, Java, the bane of a stable network, with all of the bug fixes and security patches.

And today, we introduce the security patch that corrects the security patch that corrects the security patches patch of a patched patch...

0
0
Anonymous Coward

Re: corrects the security patches patch of a patched patch...

AND is guaranteed to break that custom web app for which you paid a pretty penny to streamline your finance processes!

0
0
Anonymous Coward

Re: Pah! Adobe!

Where does Apple have a problem, lol??

Oh dear, oh dear. If lies, damn lies and statistics weren't enough, you also seem to have trouble working with numbers..

Let's start with the issue that you're talking about past exposures instead of current ones, but even without asking you which stuff you smoked to come up with those numbers there is plenty to rip apart with even the most basic thinking:

the over 400 known security vulnerabilities in IOS versus zero in Windows Phone

The problem here is not that Windows phone is safe, but that the two people using it do not collectively form an interesting enough target to even worry about fuzzing the code to discover holes. It's simply not worth the effort. As for 400 known exposures, that can only be "discovered but addressed". So, actually, Windows phone IS indeed safer, but it's a bit like a car with weak brakes which you only use on a small, isolated road with no traffic. God help you if you join the motorway, but please, feel free to become the 3rd buyer of a Windows phone. Ballmer may even give you a free chair once he's glued them together again.

the 1,840 known vulnerabilities in OS-X versus ~450 in even Windows XP

I would actually love for you to tell me how you managed to cook up that number, because you have a great future ahead in banking. Even if we ignore the Tuesday patch trick that let MS aggregate the many, many problems it has had over the years into weekly blocks, the number of PAST problems and possible infections of Windows lies actually in the millions, whereas the number of PAST vulnerabilities of OSX is closer to 40k. Or, put simpler for people who are scared of large numbers: a single digit percentage of Windows. When it comes to current exposures I have actually no idea, but from the discussions I have almost every week with friends that are actually IN the anti-virus industry I get the impression OSX isn't making them much money. Microsoft is, although Win7 has been a lot better - so it only took Microsoft about 2 decades. Well done..

Maybe you should go and find people who understand maths, but if you still believe those figures (without mentioning any origin, which is actually a favourite Microsoft trick for sales presentation figures), I may have some excellent swamp land for sale..

0
0
Bronze badge
Mushroom

Re: Pah! Adobe!

Windows Phone has been out for 2 years now, so your comment is just bs. windows Mobile - which had over 50% Smartphone market share at one point also had near zero vulnerability counts.

The vulnerability numbers are both from Secunia. Who count based on the CERT vulnerabilities, not Microsoft or Apple patches.

If OS-X (or Linux) ever takes a higher market share than Windows on the Desktop then the AV vendors will likely make more money than they do now...

0
1
Gold badge
WTF?

I'm confused

Why was this application running on these servers?

And how did no one notice this outbound traffic for two months?

Just because you host your nations vulnerability database does not make you invulnerable.

2
1
Bronze badge

Re: I'm confused

First, one must know to monitor outbound traffic, knowing what to look for.

Webservers do tend to send data out, kind of their job and all.

Though, as I recall, the US DoD still holds the longevity prize for over two years of compromised systems and servers exfiltrating data to the PRC.

1
0
Gold badge

Re: I'm confused

"First, one must know to monitor outbound traffic, knowing what to look for."

Or hire someone who does. This sudden discovery seems like the result of a new set of eyes looking at the outgoing logs (for the first time ever?)

"Webservers do tend to send data out, kind of their job and all."

Primarily on (IIRC) port 80.

Not on anything else. so if there was any outbound traffic from other ports that should have raised flags much earlier.

0
0
Silver badge
Mushroom

ADOBE!

Son of a... why am I not suprised?

0
0
Gold badge
Facepalm

I suspect ..

.. they were aiming for an irony award.

2
0
Linux

Looks like a Java hack ..

hotfix

0
0
Linux

The ghost of Kevin Mitnick?

"Considering the fact that Windows 95 hadn’t even been released when federal agents finally caught up with the computer hacker Kevin Mitnick, one might assume his new memoir would be full of stale old tech-and-­techniques that no one in 2011 could possibly care about. But as Mitnick makes clear here, don’t jump to conclusions." link

1
0
Thumb Up

Heh

Adobe's ColdFusion web development software is to blame for the downtime of the US Government's National Vulnerability Database.

The malware infected two servers . . .

ColdFusion has officially been classified as malware, apparently.

2
0
This topic is closed for new posts.