Re: [VOTEPRI] 12 high priority candidates as of 5/1/2000
Elias Levy and Bill Wall brought up a number of different points
voting information for this candidate. It touches on a number of
issues which I think are important for CVE, so I am emphasizing it
more than I usually would for a legacy candidate.
INFERRED ACTION: CAN-1999-0031 ACCEPT (3 accept, 1 ack, 0 review)
ACCEPT(2) Wall, Cole
MODIFY(2) Christey, Levy
Christey> ADDREF HP:HPSBUX9707-065
Christey> According to the CERT advisory, this issue affects Internet
Christey> Explorer 3.x and 4.x, and Netscape 2.x, 3.x, and 4.x.
Christey> Include this in the description.
Levy> Need a better description of the vulnerability there were several JS
Levy> vulnerabilities in the same time frame that had similar results but
Levy> were porly documented. This, the Bell Labs vulnerability, was one of them.
Levy> This is one of the other ones:
Wall> Add Internet Explorer 5 also. See
Wall> http://www.microsoft.com/technet/security/bulletin/ms99-043.asp which allows
Christey> MS:MS99-043 is already handled by CVE-1999-0793. This one is
Christey> different because IE 3.x and 4.x are affected; for
Christey> CVE-1999-0793, it affected 4.x and 5.x. Also, this one
Christey> just allows someone to read cookies, HTML form data, and
Christey> what URLs were visited. CVE-1999-0793 allows the attacker
Christey> to read files on the target's computer. Thus this one is
Christey> different than CVE-1999-0793, and MS:MS99-043 should not be
Christey> The reference that Elias provided describes 2 bugs, neither
Christey> of which is the "Bell Labs" bug, i.e. this candidate (just to
Christey> confirm what Elias said; the CERT advisory explicitly thanks
Christey> Bell Labs). The first bug *sounds* a lot like this candidate, but
Christey> since it was "discovered by a Danish IS consultant company."
Christey> The second bug describes the same symptoms as CVE-1999-0793.
Christey> However, this reference only describes the problem for
Christey> Netscape Nagivator; CVE-1999-0793 only mentions IE.
Christey> Thus it's possible that the problem was identified and fixed
Christey> for Netscape, and later "rediscovered" by Microsoft and
Christey> addressed for Internet Explorer. (The CD:DISCOVERY-DATE content
Christey> decision, when reviewed by the Board, will dictate what to
Christey> do in these sorts of cases). But then again, they could be
Christey> different bugs entirely, but they just happen to have the same
Christey> the implementation, then maybe CD:SF-CODEBASE won't apply.
Christey> We might be able to roll this second bug in with
Christey> CVE-1999-0793; thus we may need to REASSESS CVE-1999-0793 in
Christey> the future.
Christey> It is possible that this second bug is the same as the
Christey> "Singapore privacy bug" described here:
Christey> These posts were on July 22 and 28. Singapore is dated after
Christey> the initial CERT advisory and references LiveConnect, which
Christey> Kuo Chiang, the person referenced in the above posts as the
Christey> discovered, sent a followup a week later on August 1:
Christey> But this is merely a clarification of the earlier problem, as
Christey> his post includes a reference to a ZDNet article written
Christey> on July 25.
Christey> The poster referred to by Elias, Matthias Dominick, sent a
Christey> followup to the CERT advisory saying that the Danish bug
Christey> appeared to be fixed, but the Bell Labs bug wasn't.
Christey> Two legacy candidates will eventually be created to handle
Christey> these 2 other bugs, i.e. Singapore and Danish.
Christey> In the meantime, the description for this one can be extended
Christey> to mention the Bell Labs bug and include pointers back to some
Christey> of the related posts.
Christey> If this mess isn't an argument for a naming standard, I don't
Christey> know what is :-) :-) On a more serious note, this is an
Christey> indicator of why it may be important for CVE to provide a way
Christey> of distinguishing between different bugs discovered in the
Christey> same software at around the same time (CD:SF-LOC will address this,
Christey> and is one of the first CD's we will discuss when I reintroduce
>ACCEPT - voter accepts the candidate as proposed
>NOOP - voter has no opinion on the candidate
>MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
>REVIEWING - voter is reviewing/researching the candidate, or needs more info
>RECAST - candidate must be significantly modified, e.g. split or merged
>REJECT - candidate is "not a vulnerability", or a duplicate, etc.