Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Development

    Mitre Warns of Issues With Software Flaw ID System if Count Tops 10K

    By
    Robert Lemos
    -
    September 18, 2014
    Share
    Facebook
    Twitter
    Linkedin
      Software Flaws 917

      When government contractor MITRE came up with its widely used system for assigning a unique ID to each software flaw, known as the Common Vulnerabilities and Exposures (CVE) identifier, the group did not foresee a time when more than 9,999 vulnerabilities would be discovered in a year.

      Yet, with 6,500 IDs already assigned to software firms this year, 2014 may set a record for the number of flaws reported by researchers. In what vulnerability researchers have taken to calling “CVE-10k issue,” MITRE has warned companies and security software makers that the unique identifiers could expand to five digits or more this year.

      But there’s concern that the change could break some security software or possibly lead to different identifiers being confused in older systems.

      The U.S. government’s National Vulnerability Database, for example, originally rejected any identifier that includes more than four digits, Steve Christey Coley, CVE list editor and principal information security engineer at MITRE, told eWEEK. While the system is fixed, other systems may not be, he said.

      “A lot of people depend on CVE working properly without even knowing it,” he said. “CVE has become such a part of the infrastructure that we cannot know all of the different ways that it is being used.”

      Launched in 1999, the Common Vulnerabilities and Exposures (CVE) system gave companies and software researchers a common naming scheme for software vulnerabilities. While vendors typically have their own system for identifying and tracking software flaws, CVE identifiers allow their systems to essentially speak the same language. That year, less than 900 vulnerabilities were reported and given a CVE identifier.

      By 2006, however, the number of vulnerabilities had skyrocketed, hitting 6,608, according to the National Vulnerability Database. Concerned, Coley brought up the problem with the CVE editorial board in January 2007, proposing four possible solutions. Eventually that grew to eight solutions, including modifying the year, using a set number of digits and allowing alphanumeric characters.

      “In 1999, we could not imagine 10,000 vulnerabilities a year,” he said. “Who knows what it will look like in 15 years, 20 years or more.”

      For the past seven years, however, the number of vulnerabilities had fallen from the 2006 peak, ranging from 4,150 (in 2011) to 6,514 (in 2007). Last year, 5,186 vulnerabilities were reported, according to the National Vulnerability Database. Yet, the pace seems to be increasing, once again. For the first eight months of 2014, some 4,800 issues have already been reported.

      Eventually, the group decided that software should support any number of digits, and the change went into effect on Jan. 1, 2014.

      Coley and others worry that something, somewhere will break when the first CVE identifier with five digits is issued. To make sure that security-software developers have accounted for the extra digits, MITRE will issue its first five-digit identifier by Jan. 13, 2015, Coley said.

      “We can’t predict when we will hit 10,000,” he said. “We might hit 10,000 before the end of 2014, but we might not. If we don’t reach that point naturally, we will do it artificially on the Jan. 13th deadline.”

      If there is software out there that cannot handle the fifth digit, MITRE expects it to become evident in January. Yet, silent errors and problems are a possibility, he said.

      “Different products will manage CVEs in different ways, so when things break, they will not break the same way,” Coley said.

      Robert Lemos
      Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's written for Ars Technica, CNET, eWEEK, MIT Technology Review, Threatpost and ZDNet. He won the prestigious Sigma Delta Chi award from the Society of Professional Journalists in 2003 for his coverage of the Blaster worm and its impact, and the SANS Institute's Top Cybersecurity Journalists in 2010 and 2014.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×