8

Is there a database of vulnerabilities somewhere, that can be queried in such a way as to return results for all non-patched vulnerabilities for a specific piece of software?

For example, I would like to see a list of the current non-patched (workarounds don't count as patches) vulnerabilities, including CVE numbers, in Windows 7.

Iszi
  • 26,997
  • 18
  • 98
  • 163
  • 2
    @Paul - Having a CVE number does *not*, by definition, mean it is solved. A fully-patched Windows box will still have numerous vulnerabilities, all *with CVE numbers*, that do not yet have patches released. The only thing a CVE number represents is that it is a known vulnerability in the Common Vulnerabilities & Exposures list. – Iszi Mar 24 '11 at 20:22
  • @Paul - For example, CVE-2008-4609 is a vulnerability in the TCP/IP stack affecting almost all Windows OS's since Win2K. Microsoft rates it "Critical" or "Important" for most versions. McAfee Vulnerability Manager marks it as a "Medium" finding. US-CERT rates it "High". However, Microsoft has not (and will not - see Security Bulletin MS09-048) released any patches to mitigate this in XP or 2K. This may be a somewhat-poor example of what I'm looking for (I'm more aiming at zero-day vulnerabilities) but it's one I encounter often. – Iszi Mar 24 '11 at 21:02
  • 1
    If it is registered as a CVE, it can't really be considered a zero-day anymore, can it? – AviD Mar 24 '11 at 22:55
  • @Avid - Okay, you caught me there. But I'm sure you caught my meaning, too. I was running out of characters again. – Iszi Mar 25 '11 at 00:09
  • you are right, Avid's answer is the correct reply that I should have provided. Nevertheless, I am aware of software companies that does always provide solutions for vulnerabilities known publicly (and have CVE entries), and that mislead my answer. In between, for many software vendors, a work around is a solution at least on the short run. In General If responsible disclosure is respected (which is the case of Secunia) then this means it is un-patched either because the vendor was not quick enough to patch it *but will* or the vendor estimates the cost is higher than the risk. – Phoenician-Eagle Mar 25 '11 at 02:46

2 Answers2

6

one good starting point for this would be www.secunia.com. You can get a list by product there, of known security issues, and the note on the page unpatched issues. For windows 7 for example, there's this list

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
6

You might try the National Vulnerability Database (NVD) advanced search page, however it is quite slow and isn't great for searching for a specific product.

A faster and more direct service is CVE Details which lets you browse CVEs by product.

Finally, you could try downloading machine-readable CVEs and parsing them yourself.

Mark E. Haase
  • 1,902
  • 2
  • 15
  • 24