Headline
Vulristics May 2022 Update: CVSS redefinitions and bulk adding Microsoft products from MS CVE data
Hello everyone! In this episode, I want to talk about the latest updates to my open source vulnerability prioritization project Vulristics. Alternative video link (for Russia): https://vk.com/video-149273431_456239088 CVSS redefinitions A fairly common problem: we have a CVE without an available CVSS vector and score. For example, this was the case with CVE-2022-1364 Type Confusion in […]
Hello everyone! In this episode, I want to talk about the latest updates to my open source vulnerability prioritization project Vulristics.
Alternative video link (for Russia): https://vk.com/video-149273431_456239088
A fairly common problem: we have a CVE without an available CVSS vector and score. For example, this was the case with CVE-2022-1364 Type Confusion in V8 (Chromium). This vulnerability does not exist in NVD.
The CVSS for this vulnerability is not available on the Microsoft website. Although this vulnerability itself exists for the Edge browser.
But on the other hand, CVSS can be found on other sites, such as White Source.
Therefore, I decided to add the ability to manually set the CVSS value for some vulnerabilities in data_redefinitions.py. And this value will be used in the report.
This allows you to correctly assess vulnerabilities even if there are some problems in the main data sources.
Bulk adding Microsoft products from MS CVE data
The second problem is that I still edit the product description file data/classification/products.json manually. This file is used to detect the names of vulnerable products based on the description of the vulnerabilities.
When I do the Microsoft Patch Tuesday reports every month, there are new products that are not covered in the file. They appear in the report as Unknown Products. I have to manually add them to the file.
It’s annoying. In addition, there may be products containing the word “Windows” in their name. If there is no separate detection for them, they will be detected as Windows Kernel. And this is not right.
Therefore, I added functions to automatically edit products.json. I download all Microsoft CVEs from Vulners.com, extract software names from titles, and add new softwares to products.json.
Those products that have the word Windows in their name are added with the comment “Windows component” and a criticality of 0.8. The remaining products are added with an average criticality of 0.5 and without comment.
It is expected that they will be edited manually if necessary. For all products, the vendor “Microsoft” is set.
I had 358 manually added products, I received 821 candidates for addition. As a result, I got 861 products in the products.json file. Big progress without much effort. Now it will be enough to run update_products_file_from_vulners_ms_cves() function periodically and this will eliminate problems with manually adding products for MS Patch Tuesday.
In case of duplication, simply add an additional name to additional_detection_strings. Also, of course, you can freely change the prevalence and detection_priority and they will not be overwritten.
New improvements can be evaluated in the next episode about Microsoft Patch Tuesday.
Hi! My name is Alexander and I am an Information Security Automation specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
Related news
Google on Friday released out-of-band updates to resolve an actively exploited zero-day flaw in its Chrome web browser, making it the first such bug to be addressed since the start of the year. Tracked as CVE-2023-2033, the high-severity vulnerability has been described as a type confusion issue in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been
An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.
Search giant Google on Friday released an out-of-band security update to fix a new actively exploited zero-day flaw in its Chrome web browser. The high-severity flaw, tracked as CVE-2022-4262, concerns a type confusion bug in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on November 29, 2022. Type confusion
Google on Thursday released software updates to address yet another zero-day flaw in its Chrome web browser. Tracked as CVE-2022-4135, the high-severity vulnerability has been described as a heap buffer overflow in the GPU component. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the flaw on November 22, 2022. Heap-based buffer overflow bugs can be
Google on Thursday rolled out emergency fixes to contain an actively exploited zero-day flaw in its Chrome web browser. The vulnerability, tracked as CVE-2022-3723, has been described as a type confusion flaw in the V8 JavaScript engine. Security researchers Jan Vojtěšek, Milánek, and Przemek Gmerek of Avast have been credited with reporting the flaw on October 25, 2022. "Google is aware of
Categories: Exploits and vulnerabilities Categories: News The Google Chrome Team recently issued a fix for the CVE-2022-3075 zero-day. (Read more...) The post Zero-day puts a dent in Chrome's mojo appeared first on Malwarebytes Labs.
Google on Friday shipped emergency fixes to address a security vulnerability in the Chrome web browser that it said is being actively exploited in the wild. The issue, assigned the identifier CVE-2022-3075, concerns a case of insufficient data validating in Mojo, which refers to a collection of runtime libraries that provide a platform-agnostic mechanism for inter-process communication (IPC). An
An insufficient validation input flaw, one of 11 patched in an update this week, could allow for arbitrary code execution and is under active attack.
The high-severity security vulnerability (CVE-2022-2856) is due to improper user-input validation.
Google on Tuesday rolled out patches for Chrome browser for desktops to contain an actively exploited high-severity zero-day flaw in the wild. Tracked as CVE-2022-2856, the issue has been described as a case of insufficient validation of untrusted input in Intents. Security researchers Ashley Shen and Christian Resell of Google Threat Analysis Group have been credited with reporting the flaw on
Gentoo Linux Security Advisory 202208-25 - Multiple vulnerabilities have been found in Chromium and its derivatives, the worst of which could result in remote code execution. Versions less than 5.15.5_p20220618>= are affected.
Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
As a result of browser market consolidation, adversaries can focus on uncovering vulnerabilities in just two main browser engines.
The heap buffer-overflow issue in Chrome for Android could be used for DoS, code execution, and more.
The heap buffer overflow issue in the browser’s WebRTC engine could allow attackers to execute arbitrary code.
Google on Monday shipped security updates to address a high-severity zero-day vulnerability in its Chrome web browser that it said is being exploited in the wild. The shortcoming, tracked as CVE-2022-2294, relates to a heap overflow flaw in the WebRTC component that provides real-time audio and video communication capabilities in browsers without the need to install plugins or download native
Hello everyone! This episode will be about Microsoft Patch Tuesday for May 2022. Sorry for the delay, this month has been quite intense. As usual, I’m using my Vulristics project and going through not only the vulnerabilities that were presented on May 10th, but all the MS vulnerabilities presented by Microsoft since the previous Patch […]