The Skybox Vulnerability Database is the most comprehensive database because it contains more specific information on vulnerabilities than any other single source.  This is because the Skybox Research Lab correlates information from more than 20 different vulnerability databases, aggregates bits of information that may appear in separate sources, removes inconsistencies through manual analysis, and adds information such as attack preconditions and exploit difficulty for better risk ranking of vulnerabilities.

We also sometimes have vulnerabilities listed in our database that have no CVE number.  You may ask… why does that happen? It’s best to walk through an example. Let’s consider:  CVE-2013-3917 Memory corruption in Internet Explorer. You’ll find that the National Vulnerability Database lists this vulnerability at a severity of CVSS 9.3.

When the Skybox Research Lab reviewed available sources, they found comments in Microsoft’s security bulletin (under Severity Ratings and Vulnerability Identifiers) that said this security bulletin is marked ‘critical’ on workstations (windows XP, Vista, Windows 7, Windows 8 and Windows 8.1). However, on servers (Windows Server 2003 ,Windows Server 2008,Windows Server 2008 R2,Windows Server 2012, Windows Server 2012 R2), Microsoft considers this vulnerability as ‘moderate’.

Microsoft’s comments:

By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted web content on a server. This is a mitigating factor for websites that you have not added to the Internet Explorer Trusted sites zone.

So, if you are a server administrator, and you haven’t taken your servers out of Enhanced Security Configuration, then you most likely have a mitigating security control already in place that would prevent or limit the effect of this vulnerability.  If you are a desktop administrator… no such luck.

Therefore, the Skybox Research Lab split CVE-2013-3917 into two vulnerabilities – a moderate vulnerability for Windows Servers, and a critical vulnerability for workstations. In 2013, the Skybox Research team split 17 CVEs into two vulnerabilities for similar reasons.

For IT security professionals, context-aware information about vulnerabilities is essential to identifying the truly critical risks – those that either have no mitigating security control, or those that directly impact critical business assets – and not relying on vendor recommendations.

Skybox Risk Control for Vulnerability Management performs a context-aware analysis to highlight vulnerabilities that can be exploited. Skybox takes into account access paths, compensating network security controls such as firewalls and IPS, and simulates potential attacks to rank vulnerabilities by risk level to valuable assets.

Skybox Risk Control then automatically provides context-aware remediation options, considering multiple remediation actions such as activating IPS signatures, changing firewall configurations, patching, and more. Additionally, Skybox Risk Control provides actionable remediation steps, an integrated workflow to generate support tickets and comprehensive metrics to evaluate remediation progress. Learn more about next-generation vulnerability management solution.

Tags: