Re: Rant: Common Malware Enumeration (CME) gets mixed reception

[Florian Weimer <fw () deneb enyo de>]

> For example, F-Secure mentioned that one of the newest Sober
> variants this morning had been assigned CME-151. Meanwhile,
> McAFee makes an AVERT announcement about a similar Sober variant
> that they feel warrants alerting their AVERT subscribers. However,
> if you go to the CME webpage, there is no listing for it, or any
> number of others.

Just like CVE, and it's not a real problem.  I don't think malware
life cycles are significantly shorter than vulnerability life cycles,
and you can always provide local description/cross references in your
own application, until the official ones are ready (the Debian testing
security team does this for CVE).

The real benefit is not the data MITRE provides, but the naming
service.  With CVE or CME, you can join information from completely
different databases.  For example, if you assign CVE names to your
security bugs, you can automatically tell your users if they are
remotely exploitable, simply by fetching the data from NVD (the NIST
iCAT successor).
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.