[funsec] Rant: Common Malware Enumeration (CME) gets mixed recepti on

Fergie (Paul Ferguson) fergdawg at netzero.net
Thu Oct 6 11:35:05 CDT 2005

Completely agreed -- as I mentioned earlier, it will be nice
to have common naming convention cross-reference ability.

The problem here (and perhaps not really a big problem) is the
target audiences are hugely different.

The CVE audience is a much smaller, specialized group of people.

The CME audience is a huge, public consumer audience, that is
trying to make sense of the security scare tactics. ;-)

Or perhaps I'm wrong, and that isn't the target audience.... :-)

- ferg

-- Florian Weimer <fw at deneb.enyo.de> wrote:

> For example, F-Secure mentioned that one of the newest Sober
> variants this morning had been assigned CME-151. Meanwhile,
> McAFee makes an AVERT announcement about a similar Sober variant
> that they feel warrants alerting their AVERT subscribers. However,
> if you go to the CME webpage, there is no listing for it, or any
> number of others.

Just like CVE, and it's not a real problem.  I don't think malware
life cycles are significantly shorter than vulnerability life cycles,
and you can always provide local description/cross references in your
own application, until the official ones are ready (the Debian testing
security team does this for CVE).

The real benefit is not the data MITRE provides, but the naming
service.  With CVE or CME, you can join information from completely
different databases.  For example, if you assign CVE names to your
security bugs, you can automatically tell your users if they are
remotely exploitable, simply by fetching the data from NVD (the NIST
iCAT successor).

"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg at netzero.net or fergdawg at sbcglobal.net
 ferg's tech blog: http://fergdawg.blogspot.com/

More information about the funsec mailing list