How Vulnerable to Attack is Your Computer? See US-CERT

How Vulnerable to Attack is Your Computer? See US-CERTThe US government is very concerned about cyber attacks. A special organization, the United States Computer Emergency Readiness Team (US-CERT) was formed with this charter:

US-CERT’s mission is to improve the nation’s cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks to the nation while protecting the constitutional rights of Americans. US-CERT’s vision is to be a trusted global leader in cybersecurity — collaborative, agile, and responsive in a complex environment.

Lately I have written several pieces about using anti-malware applications on personal computers (For Computer Security, Can Malwarebytes Do the Job?, More Malwarebytes: Prevention or Detection?, Chris Pirillo Talks to Doug Swanson of Malwarebytes, and Malwarebyte’s Other Tools — They are Nifty and Free!). Having good software protection is important, but knowing which applications and peripherals are vulnerable to attack before your computer is attacked is also important. US-CERT provides a valuable service by publishing a weekly vulnerability summary. All known or reported vulnerabilities are ranked by the Common Vulnerability Scoring System (CVSS). The details of how this works are too complex to go into here, but a score of 10.0 means you are major bad, and a score of 0.0 means you are a good guy. Using this scale, vulnerabilities are reported as High, Medium, or Low. Medium is the biggest reported category, but Low or non-threatening would be the largest if all applications were included in the studies. The low category is under-reported because, if an application is perfectly safe, it will probably not be reported by US-CERT. So, in essence, the low category includes items with a known vulnerability, and excludes safe items.

Which are the items in the high vulnerability class that we should worry about? Here are some results taken from the weekly vulnerability summary for the week of Aug 6th.

Two perfect 10s are reported: the Opera browser and uplay_pc, which is a Ubisoft plugin. (Assassin’s Creed, anyone?) However, many unlikely candidates make the “High” list. Even my favorite, LibreOffice, has a high vulnerability rating (7.5). Google Chrome, Cisco, and Siemens all make the list, but a real surprise is Symantec’s web_gateway (7.5). Some people simply should not be on a vulnerability list.

Also rather disheartening for us Linux lovers is that many vulnerabilities in various distributions make the high vulnerability list, but we all knew the main reason Ubuntu, for instance, is relatively unaffected by malware is that its market share is too small to attract serious exploitation. There are easy pickings in the much larger markets. God help us if Ubuntu ever starts to climb to Windows heights.

The bulletin of vulnerabilities is interesting and surprising, but so what? Can this information help the average user to stay malware-free? Probably not directly. It can show what applications and peripherals to avoid right now, but the main use is to publicize vulnerabilities so that pressure is applied to the providers to plug the holes and make us all safer. Of course this only works if the results of US-CERT are published in a public forum — hence the value of the bulletin. Nothing works better at forcing improvement than transparency. Simply by reading the bulletin, you contribute in a small way to reducing vulnerabilities.

In the meanwhile, based on what I see in the bulletin, I personally would avoid using Bitcoin or buying a Cisco router. This does not mean that I think Cisco makes bad products. It makes some fine things. And maybe a lot of people benefit from Bitcoin. But I will feel more comfortable about them and the others on the vulnerability lists when their CVSS scores drop or they disappear entirely from the bulletin.

On the other hand, I do not intend to stop using Linux or LibreOffice, but that is my inconsistency. At least I am being inconsistent with better knowledge thanks to US-CERT.

Does the information that US-CERT provides give you pause in using any applications in your current setup, or do you think your ship is enough in shape that you needn’t worry about such things? Leave a comment below and share your thoughts, please.

Article Written by

  • Matthew Arevalo

    I am happy to see how these resources have grown over the years. Very helpful.

    • sdeforest

      Yes, but on the other hand, it is sad we need them. And I do not see that need going away quickly

    • sdeforest

      Yes, but it is sad that we need them, and will likely continue to need them.

  • Raven Lee

    LInux has millions of users. The low market share excuse is a myth and has been debunked as it has no basis in facts. It started as a talking point from Microsoft levied against Apple’s Macintosh line of hardware.

    Vulnerabilities are less serious than in Windows and are patched quickly.

    More street cred is gained by exposing vulnerabilities in systems that have a strong reputation for safety such as Mac OS X or Linux. “First!,” is a common refrain online.

    This article is just more scare tactics designed to get more eyes on it.

    • sdeforest

      I hate to contradict a reader, but this is not a scare article. I stated quite plainly that I am a fan of and use Linux regularly. The article only reviewed the best available data on vulnerabilities as presented by our government–you might have a better source. Check it out yourself–neither Apple nor Microsoft appear in the bulletin. That could simply be an artifact of the sampling since vulnerabilities that had been fixed by the time the bulletin was written would not appear. If I wanted to write a scare article, it would be more obvious–and more scary. BTW, I would appreciate a reference to the debunking study.

  • Ryan Matthew Pierson

    Very interesting. Thanks for sharing this. I had no idea this even existed.

    • sdeforest

      I just learned about it too, which is rather embarrassing because it has been around for years.

  • Chris Pirillo

    I almost got nailed with a false Facebook “cancel your account” message today. I had to do a couple of double takes, and ended up sending it on to a Facebook contact to make sure that the connected app was terminated with extreme prejudice.

    Your computer may be safe, but your intelligence will always be at risk.

    • sdeforest

      As I have said many times, anti-virus software is your second line of defense. You are your first line of defense.

    • sdeforest

      As I have said many times, anti-virus software is your second line of defense. You are your first line of defense.

  • Maximilian Majewski

    Thanks for the info. I’ll have to take a closer look at this.

    • sdeforest

      Enjoy–it can be quite eye-opening. I only learned about it recerntly