Common Vulnerabilities and Exposures (CVE)
In information security jargon, vulnerabilities refer to potential openings for attack or system penetration based on possibly flawed or erroneous design decisions, protocol implementations, software characteristics and other matters, whereas exposures address ways to obtain unauthorized access to systems, such as through system fingerprinting and scanning, that not everyone may agree also constitute vulnerabilities. In fact, there’s a fascinating discussion on this terminology and why it’s important available on the CVE site—very much worth reading for those interested in why there’s so much fuss about names and terms.
The goal of the CVE list is to create a common lexicon of names for vulnerabilities and exposures, so that all who work in the area can agree on a common set of terms. Potential terms are submitted for editorial review by the CVE board, granted specific identifiers, linked to technical descriptions and associated with relevant security alerts, bulletins, reports and other documents that identify and describe them. For example the Sasser worm currently bears the CVE cognomen CAN-2003-0533. This may be decoded as follows: “This is a candidate (CAN) item submitted in 2003 with entry number 0533.” On its Web page, you’ll also find pointers to relevant CERT, Microsoft, EEYE and BugTraq documents that describe the Local Security Authority vulnerability that lets the Sasser worm do its thing.
Please note that this common list of terms, while both useful and informative, does not focus on exploits (and hence will not respond to many virus, worm or Trojan names, no matter how well publicized or virulent they may be or have been). It focuses on vulnerabilities and exposures. Thus, searching the list depends on knowing about the vulnerabilities or exposures that makes exploits possible, rather than working directly from those exploits themselves. Those interested in working from exploit information will be better served by searching the virus encyclopedias at VirusList.com or Symantec’s SecurityResponse Web pages.