[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: MODIFY-01 cluster: 25 CERT candidates moved to MODIFICATION phase

Good point; we went through the same contortions and evolution with this
vulnerability.

First of all, I don't believe it to be a LOA problem (even if I don't really
believe in voodoo). Therefore, we could go two ways on this type of issue:
either enumerate all the mailers and risk missing one (which IMHO is a
function of a vulnerability database (VDB), not the CVE) or use a general
term, such as 'some MIME-compliant mailers..."

If we choose to enumerate, then it'll cascade into 'not listing all OSes,
versions, etc.', which again degrades into a VDB's job (no offense to those
who own VDBs).

As background, originally we heard about this vuln affecting Outlook, and
then it was broadened to all MIME-compliant mail programs. (Thus why our
term is a bit misleading; once defined, an X-Force tagname is set in stone,
or at least in wet concrete on a summer day.)

Good point, Adam and Steve.

=====================================
Andre Frech
X-Force Security Research
afrech@iss.net

Internet Security Systems, Inc.
678.443.6241 / fax 678.443.6479
www.iss.net
Adaptive Network Security for the Enterprise
=====================================


> -----Original Message-----
> From: Steven M. Christey [mailto:coley@linus.mitre.org]
> Sent: Wednesday, June 23, 1999 1:40 PM
> To: cve-review@linus.mitre.org
> Subject: Re: MODIFY-01 cluster: 25 CERT candidates moved to MODIFICATION
> phase
>
>
>
> Adam Shostack asked me the following question, which touches on a
> potentially delicate issue that nonetheless should be addressed sooner
> rather than later.  Quiet people may want to pipe up on this one ;-)
>
> | Candidate: CAN-1999-0004
> | Published:
> | Final-Decision:
> | Interim-Decision:
> | Modified: 19990621-01
> | Announced: 19990607
> | Assigned: 19990607
> | Category: SF
> | Reference: CERT:CA-98.10.mime_buffer_overflows
> | Reference: XF:outlook-long-name
> | Reference: SUN:00175
> |
> | MIME buffer overflow in email clients, e.g. Solaris mailtool
> | and Outlook.
> |
> | Modifications:
> |   ADDREF MS:MS98-008
> |   DESC include Outlook
> |
>
> >It occurs to me that there may be a [level of abstraction] issue
> >here. Why are we grouping all mailtools into one entry?  If we choose
> >to do this, we need to add at least Eudora as well.  Its fairly clear
> >to me that these are distinct.
>
> I see how you think this could be an LOA (level of abstraction) issue.
> There are multiple applications affected.
>
> >From my perspective, we shouldn't divide this into separate
> vulnerabilities because:
>   - the same "exploit" would work on any of these applications
>     (modulo the OS the application is on)
>   - the bug occurs in multiple applications, but these applications
>     all do the same thing (i.e. process email)
>   - the bug is in the same functional component/specific "operation"
>     of the applications, i.e. the MIME conversion
>   - the bug has been discovered in each application at (basically)
>     the same time
>
> To me, this is the same implementation flaw, spread across different
> implementations of the same type of application, so this is the
> appropriate LOA to use.  (Er, I suppose I could have written that
> better).  Do people agree with this perspective?
>
> Note that the description singles out mailtool and Outlook, ignoring
> the other applications that are affected.  Assuming we agree on the
> LOA, should the description be modified to list all affected clients?
>
> - Steve
>
Page Last Updated or Reviewed: May 22, 2007