October is Cyber Security Awareness Month (among other things including Breast Cancer Awareness Month), so this post is going to help make you aware of how to learn about vulnerabilities and – more importantly – patches in the systems you manage.

Vulnerabilities are found in several places – the first place you’re likely to find public disclosure of a vulnerability is the Full Disclosure mailing list. On the downside, it’s a very high noise to content ratio (i.e. there’s a *lot* of noise – probably 90-95% noise). The second place it’s likely to show up, and be more useful to you is in the bugtraq mailing list – this is because bugtraq is moderated. It has a much lower noise to content ratio (90-95% of it will be useful). If you want to be on the cutting edge of vulnerability research, these are the two go-to lists.

milw0rm.org (which has questionable uptime at the moment) has a great database of exploits. If there’s an exploit in the wild, milw0rm will likely have a copy of it. And vice versa, if milw0rm has exploit code for it, you’re likely to see people attempting it.

All of these sites are for *all* vulnerabilities, including many that may not affect you, and if you’re short on time, you want to know what vulnerabilities affect you – and if there’s a patch. Vendor specific mailing lists (or web pages) are your friends here. Sometimes, you have to be a support paying customer to have access to these lists, but the ones I list here are free for everyone to join.

-Windows has several options depending on what you want to get from them.

-Apple has their security-announce list available through mailing list or RSS feed.

-FreeBSD has a whole group dedicated to vulnerabilities, with links to a list of the vulnerabilities in FreeBSD as well as the ports tree.

-Sun has a knowledgebase article that lists all current vulnerabilities and advisories.

-Linux vulnerabilities are generally listed through the distribution you choose to install.
* Red Hat has several public lists for vulnerability announcements depending on the product you’re interested in.
* Debian – debian-security-announce mailing list
* Ubuntu – ubuntu-security-announce mailing list
* SuSE has a web page devoted to advisories.

Whatever operating system you run or administer, find out where the advisories are posted and monitor them for activity. Everything is going to have vulnerabilities sooner or later; you’re not “safe” just because you run an obscure operating system or application. Keep up-to-date and you’ll reduce the surface area for attacks.

This entry was posted on Tuesday, October 13th, 2009 at 8:44 am by Laura Raderman and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.