Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

CERT/CC Seeks to Remove Fear Element From Named Vulnerabilities

Most people will immediately recognize CVE-2014-0160 as a vulnerability, but few will know which vulnerability it refers to. Call it Heartbleed, however, and more people will know more about it. That’s the strength of natural language over numbers — humans remember words more easily than numbers.

Most people will immediately recognize CVE-2014-0160 as a vulnerability, but few will know which vulnerability it refers to. Call it Heartbleed, however, and more people will know more about it. That’s the strength of natural language over numbers — humans remember words more easily than numbers. It’s the same argument as that for using domain names rather than IP addresses for web browsing.

The weakness, however, is that natural language words carry emotive undertones, and that is a concern for Leigh Metcalf at Carnegie Mellon’s Software Engineering Institute. She worries that some vulnerability discoverers choose to name their discoveries purely for maximum media impact rather than accurately reflecting the severity of the flaw — which could lead to worry, or even fear, among users. Other examples she specifically mentions are Spectre, Meltdown, and Dirty Cow.

“This is an area of concern for the CERT/CC as we attempt to reduce any fear, uncertainty, and doubt for vendors, researchers, and the general public,” she blogs. The reasoning is similar to that of the technical director of the NCSC, Ian Levy, who wrote in November 2016, “One thing that’s missing in cyber security is unbiased data… It’s time to stop talking about what the winged ninja cyber monkeys can do and… be in a place where the skilled network defender community are free to tackle the really nasty stuff.”

Related: Industry CMO on the Downstream Risks of “Logo Disclosures”

CERT/CC set itself the task of automatically generating natural language descriptors to represent CVE numbers, but without any emotive bias. “Our goal,” writes Metcalf, “is to create neutral names that provides a means for people to remember vulnerabilities without implying how scary (or not scary) the particular vulnerability in question is.”

To achieve this, CERT/CC decided to ‘randomly’ pair an adjective with a noun, acquiring both word lists from Wiktionary “and categories of words such as animals, plants, objects in space, and more.” Word pairs are then mapped to the CVE IDs using the Cantor Depairing Function, which allows a natural number to be mapped to two natural numbers uniquely.

The results of the process can be seen on Twitter (@vulnonym, which is “a bot for generating names for CVE IDs”). Recent examples include Privileged Ukulele for CVE-2020-16006; Collected Camp for CVE-2020-16002; and Shielded Agnus for CVE-2020-16001. There is no doubt that there is no apparent emotive bias to the new naming convention, but much still needs to be done on the project — and it is not entirely clear that two disconnected words are any better than one emotive word.

Advertisement. Scroll to continue reading.

There is also the possibility that an automated bot can generate an entirely unacceptable combination. “In case anyone considers a word or name to be offensive,” writes Metcalf, “we have a simple process to remove it from the corpus and re-generate a name.” However, what is inoffensive to one person could be very offensive to another. For example, one @vulnonym tweet reads, “My real name is CVE-2020-15996 but all my friends call me Brisk Squirt.” Brisk Squirt, incidentally, is entirely inoffensive to me. It (CVE-2020-15996) is a high-risk use after free in passwords Android vulnerability fixed in Chrome 86 (86.0.4240.99) for Android.

@vulnonym is currently described as an experiment, and CERT/CC asks users to “let us know if this naming experiment is useful.” However, many of the researching vendors who discover vulnerabilities are primarily motivated by the marketing potential of an emotive description — they may be reluctant to give up exposing MeltdownPlus in favor of Brisk Squirt. Only time will tell whether this naming experiment proves worth the effort, or if the project gets consigned to the Ministry of Silly Names.

Related: Industry CMO on the Downstream Risks of “Logo Disclosures”

Related: Why The Heartbleed Vulnerability Matters and What To Do About It 

Related: Intel Working on Patches for 8 New Spectre-Like Flaws: Report 

Related: Microsoft Fixes Windows Flaw Introduced by Meltdown Patches 

Related: “Dirty COW” Linux Kernel Exploit Seen in the Wild 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.