For techie tips and tricks, tools and sites of (dis)interest

Search for Software Vulnerabilities

| Saturday, October 03, 2009
While stumbling around the internets I came across this darkReading article titled:
"FBI: Your Social Networking 'Friend' Really Isn't In Trouble Overseas"

It was worth reading, but not really anything we didn't all know already. However, the links to the right of the article in the "BUGS Enterprise Vulnerabilities" section were very interesting, not least because most of the ones showing at the time happened to be WebSphere Application Server 6.1 related, which I work with day-to-day.

Clicking from there to the originating website brought me to this excellent resource, which until today, I didn't even know existed.
The vulnerability search is the main draw, as far as I can see, and I was able to find innumerous hits (well, not strictly true, since it says exactly how many hits you got from a query) for several applications I use, or hate.

This is no reflection on Apple, but I did a little search on "Apple Safari", and got 192 hits. That's not bad, and there were only 18 vulnerabilities in Safari listed here for the last 3 months.
What puts this into context is that a search on Apache Tomcat got just 63 hits (all time), with the last on listed on June 16th this year (so none in the last 3 months), while a search on "Windows_Vista" (you need to use _ to do a phrase search, not quotes as with most searches - or you can use the advanced search instead) produces 209 hits. This is lower than I expected, but when I checked a few I could see that some of them were compound threats, with links leading to KB articles and rollups.

If you have any software you'd like to check for holes, this is a good place to look. The vendor might be brilliant at keeping you informed and warned (like Drupal, for example, who send me vulnerability warnings by mail regularly), but they might also not be very forthcoming like, I don't know, Symantec for example.

Don't wait for the vendor to tell you about it, I guess that's what I'm trying to say.

Since it doesn't look like the National Vulnerability Database lists everything, I'd appreciate any links to other sites that provide a similar search facility (and don't say google.com either!).
Reblog this post [with Zemanta]

0 comments:

Post a Comment

speak your mind, but keep it clean (the comment, not your mind).
no spam and no trolls please