back to article Downed US vuln catalog infected for at least TWO MONTHS

Adobe's ColdFusion web development software is to blame for the downtime of the US Government's National Vulnerability Database. The malware infected two servers, and caused the National Institute for Standards and Technology to take the NVD database and other US government sites offline on Friday. The servers were …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Thumb Down

    Pah! Adobe!

    I assume that if they organise entries alphabetically, then early on in the list of national vulnerabilities will be an entry that simply reads: All Adobe software

    1. Anonymous Coward
      Anonymous Coward

      Re: Pah! Adobe!

      Noone can beat Adobe for buggy software, but Apple is close second. Must be all those topless cafe bars in San Jose area.

      1. Anonymous Coward
        Anonymous Coward

        Re: Pah! Adobe!

        but Apple is close second

        I must have missed that one. Where does Apple have a problem?

        1. Anonymous Coward
          Anonymous Coward

          Re: Pah! Adobe!

          Where does Apple have a problem, lol??

          For a start, how about the over 400 known security vulnerabilities in IOS versus zero in Windows Phone, or the 1,840 known vulnerabilities in OS-X versus ~450 in even Windows XP?

          1. Anonymous Coward
            Anonymous Coward

            Re: Pah! Adobe!

            Where does Apple have a problem, lol??

            Oh dear, oh dear. If lies, damn lies and statistics weren't enough, you also seem to have trouble working with numbers..

            Let's start with the issue that you're talking about past exposures instead of current ones, but even without asking you which stuff you smoked to come up with those numbers there is plenty to rip apart with even the most basic thinking:

            the over 400 known security vulnerabilities in IOS versus zero in Windows Phone

            The problem here is not that Windows phone is safe, but that the two people using it do not collectively form an interesting enough target to even worry about fuzzing the code to discover holes. It's simply not worth the effort. As for 400 known exposures, that can only be "discovered but addressed". So, actually, Windows phone IS indeed safer, but it's a bit like a car with weak brakes which you only use on a small, isolated road with no traffic. God help you if you join the motorway, but please, feel free to become the 3rd buyer of a Windows phone. Ballmer may even give you a free chair once he's glued them together again.

            the 1,840 known vulnerabilities in OS-X versus ~450 in even Windows XP

            I would actually love for you to tell me how you managed to cook up that number, because you have a great future ahead in banking. Even if we ignore the Tuesday patch trick that let MS aggregate the many, many problems it has had over the years into weekly blocks, the number of PAST problems and possible infections of Windows lies actually in the millions, whereas the number of PAST vulnerabilities of OSX is closer to 40k. Or, put simpler for people who are scared of large numbers: a single digit percentage of Windows. When it comes to current exposures I have actually no idea, but from the discussions I have almost every week with friends that are actually IN the anti-virus industry I get the impression OSX isn't making them much money. Microsoft is, although Win7 has been a lot better - so it only took Microsoft about 2 decades. Well done..

            Maybe you should go and find people who understand maths, but if you still believe those figures (without mentioning any origin, which is actually a favourite Microsoft trick for sales presentation figures), I may have some excellent swamp land for sale..

            1. TheVogon Silver badge
              Mushroom

              Re: Pah! Adobe!

              Windows Phone has been out for 2 years now, so your comment is just bs. windows Mobile - which had over 50% Smartphone market share at one point also had near zero vulnerability counts.

              The vulnerability numbers are both from Secunia. Who count based on the CERT vulnerabilities, not Microsoft or Apple patches.

              If OS-X (or Linux) ever takes a higher market share than Windows on the Desktop then the AV vendors will likely make more money than they do now...

      2. Anonymous Coward
        Anonymous Coward

        Re: Pah! Adobe!

        You forgot Oracle!

        1. Wzrd1

          Re: Pah! Adobe!

          Adobe, Java, the bane of a stable network, with all of the bug fixes and security patches.

          And today, we introduce the security patch that corrects the security patch that corrects the security patches patch of a patched patch...

          1. Anonymous Coward
            Anonymous Coward

            Re: corrects the security patches patch of a patched patch...

            AND is guaranteed to break that custom web app for which you paid a pretty penny to streamline your finance processes!

  2. John Smith 19 Gold badge
    WTF?

    I'm confused

    Why was this application running on these servers?

    And how did no one notice this outbound traffic for two months?

    Just because you host your nations vulnerability database does not make you invulnerable.

    1. Wzrd1

      Re: I'm confused

      First, one must know to monitor outbound traffic, knowing what to look for.

      Webservers do tend to send data out, kind of their job and all.

      Though, as I recall, the US DoD still holds the longevity prize for over two years of compromised systems and servers exfiltrating data to the PRC.

      1. John Smith 19 Gold badge

        Re: I'm confused

        "First, one must know to monitor outbound traffic, knowing what to look for."

        Or hire someone who does. This sudden discovery seems like the result of a new set of eyes looking at the outgoing logs (for the first time ever?)

        "Webservers do tend to send data out, kind of their job and all."

        Primarily on (IIRC) port 80.

        Not on anything else. so if there was any outbound traffic from other ports that should have raised flags much earlier.

  3. ecofeco Silver badge
    Mushroom

    ADOBE!

    Son of a... why am I not suprised?

  4. Fred Flintstone Gold badge
    Facepalm

    I suspect ..

    .. they were aiming for an irony award.

  5. Anonymous Coward
    Linux

    Looks like a Java hack ..

    hotfix

  6. Anonymous Coward
    Linux

    The ghost of Kevin Mitnick?

    "Considering the fact that Windows 95 hadn’t even been released when federal agents finally caught up with the computer hacker Kevin Mitnick, one might assume his new memoir would be full of stale old tech-and-­techniques that no one in 2011 could possibly care about. But as Mitnick makes clear here, don’t jump to conclusions." link

  7. Tom Maddox Silver badge
    Thumb Up

    Heh

    Adobe's ColdFusion web development software is to blame for the downtime of the US Government's National Vulnerability Database.

    The malware infected two servers . . .

    ColdFusion has officially been classified as malware, apparently.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019