OSVDB – We hit the 100,000 mark…

[This was originally published on the OSVDB blog.]

If you didn’t catch the tweet, OSVDB pushed its 100,000th vulnerability on December 25, 2013.

This goal was on our minds the last quarter of 2013, with the entire team working to push an average of 36 vulnerabilities a day to reach it. That is quite the difference from when I started on the project ten years ago, where one day might bring 10 new vulnerabilities. Factor in the years where only one or two people worked on the project, and 100k in 10 years is substantial. In addition to the numbers, we track a considerable amount more data about each vulnerability than we did at the start, and every entry that goes out is 100% complete.

While this is a landmark number of sorts, as no other vulnerability database has that many entries, it is still a bit arbitrary to us. That’s because we know there are tens of thousands more vulnerabilities out there, already disclosed in some manner, that are not in the database yet. As time permits when doing our daily scrapes for new vulnerabilities, we work on backfilling the previous years. It is a bit scary to know that there are so many vulnerabilities out there that are not cataloged by any vulnerability database. It doesn’t matter if they were disclosed weeks ago, or decades ago. Thousands of pieces of software are used as libraries in bigger packages these days, and what may seem like a harmless crash to one could lead to code execution when bundled with additional software. It is critical that companies have vulnerability information available to them, even if it is older. Better late than never may sound rough, but it certainly is the truth.

In 2014, the only goal we have right now is to continue pushing out high-quality data that comes from a comprehensive list of sources. Over 1,500 sources with more being added every day actually. Now that the project is funded by Risk Based Security, we have an entire team that ensures this coverage. Now more than ever before, we’re in the position to slowly make the goal of cataloging every public vulnerability a reality.

Disclosure: Mr Number for Android Screenlock Bypass Concern

mrnumber

Mr. Number is an android app that allows you to do a variety of blocking for incoming communication. I’ve been using it for several months now and am quite happy. Crowd-sourced spam detection lets you know a new number is spam usually. When a call comes in that is suspected spam, a pop-up appears with the option to close it, block the call, etc.

mrnumber-01

If your screen is locked, it still pops up over the lock. Sometimes, but not always, if you block the number and tap ‘done’, it will drop you past the screenlock to the android desktop.

mrnumber-02

I haven’t been able to figure out what causes it to happen sometimes and not the other. I asked someone more familiar with Android and he couldn’t reproduce it reliably, but he did confirm the issue. The attack scenario is that if you spoof a call to a device using a known bad number, you could conceivably bypass the screen lock. Not very practical, especially since it isn’t reliable.

[Thanks to Zach @OSVDB for pointing out I failed by not including the affected version: 1.3.1]