How Vulnerable to Attack is Your Computer? See US-CERT

How Vulnerable to Attack is Your Computer? See US-CERTThe US government is very concerned about cyber attacks. A special organization, the United States Computer Emergency Readiness Team (US-CERT) was formed with this charter:

US-CERT’s mission is to improve the nation’s cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks to the nation while protecting the constitutional rights of Americans. US-CERT’s vision is to be a trusted global leader in cybersecurity — collaborative, agile, and responsive in a complex environment.

Lately I have written several pieces about using anti-malware applications on personal computers (For Computer Security, Can Malwarebytes Do the Job?, More Malwarebytes: Prevention or Detection?, Chris Pirillo Talks to Doug Swanson of Malwarebytes, and Malwarebyte’s Other Tools — They are Nifty and Free!). Having good software protection is important, but knowing which applications and peripherals are vulnerable to attack before your computer is attacked is also important. US-CERT provides a valuable service by publishing a weekly vulnerability summary. All known or reported vulnerabilities are ranked by the Common Vulnerability Scoring System (CVSS). The details of how this works are too complex to go into here, but a score of 10.0 means you are major bad, and a score of 0.0 means you are a good guy. Using this scale, vulnerabilities are reported as High, Medium, or Low. Medium is the biggest reported category, but Low or non-threatening would be the largest if all applications were included in the studies. The low category is under-reported because, if an application is perfectly safe, it will probably not be reported by US-CERT. So, in essence, the low category includes items with a known vulnerability, and excludes safe items.

Which are the items in the high vulnerability class that we should worry about? Here are some results taken from the weekly vulnerability summary for the week of Aug 6th.

Two perfect 10s are reported: the Opera browser and uplay_pc, which is a Ubisoft plugin. (Assassin’s Creed, anyone?) However, many unlikely candidates make the “High” list. Even my favorite, LibreOffice, has a high vulnerability rating (7.5). Google Chrome, Cisco, and Siemens all make the list, but a real surprise is Symantec’s web_gateway (7.5). Some people simply should not be on a vulnerability list.

Also rather disheartening for us Linux lovers is that many vulnerabilities in various distributions make the high vulnerability list, but we all knew the main reason Ubuntu, for instance, is relatively unaffected by malware is that its market share is too small to attract serious exploitation. There are easy pickings in the much larger markets. God help us if Ubuntu ever starts to climb to Windows heights.

The bulletin of vulnerabilities is interesting and surprising, but so what? Can this information help the average user to stay malware-free? Probably not directly. It can show what applications and peripherals to avoid right now, but the main use is to publicize vulnerabilities so that pressure is applied to the providers to plug the holes and make us all safer. Of course this only works if the results of US-CERT are published in a public forum — hence the value of the bulletin. Nothing works better at forcing improvement than transparency. Simply by reading the bulletin, you contribute in a small way to reducing vulnerabilities.

In the meanwhile, based on what I see in the bulletin, I personally would avoid using Bitcoin or buying a Cisco router. This does not mean that I think Cisco makes bad products. It makes some fine things. And maybe a lot of people benefit from Bitcoin. But I will feel more comfortable about them and the others on the vulnerability lists when their CVSS scores drop or they disappear entirely from the bulletin.

On the other hand, I do not intend to stop using Linux or LibreOffice, but that is my inconsistency. At least I am being inconsistent with better knowledge thanks to US-CERT.

Does the information that US-CERT provides give you pause in using any applications in your current setup, or do you think your ship is enough in shape that you needn’t worry about such things? Leave a comment below and share your thoughts, please.