|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)
On Tue, Feb 19, 2002 at 10:06:12AM -0600, Mike Prosser wrote: | I agree with Scott on this one. | If a vendor discovers the problem on their own (it does happen you know!) | after release or a customer notifies them of the issue, the vendor isn't | going to release the technical issues of the problem, just a brief | description, maybe with a risk level of the issue and a patch or updated | version to fix it. | And that is pretty much what a client is concerned with....am I vulnerable? | How do I fix it so I am not? So I don't think we will ever get away from | the vagueness. It is frustrating from a research and technical aspect, but | something that we have to live with. I'm not sure that the existance of a vendor patch should be accepted as addressing these issues; see the recent Internet explorer roll-up patch. From a practical level, we may need to work with it today, but I think we may want to encourage vendors to behave better than this. Can we use CD-VAUGE as a pressure point? | Scott's suggestion that the VAGUE CD should specifically refer to issues | confirmed by the Vendor but not further detailed is a good idea. Agreed; as I said in my other note, we may want a different CD to cover issues partially reported by reputable sources. Adam | -Mike Prosser | Research Technical Lead, SIRC | Symantec Security Response | Symantec Corporation | | mprosser@symantec.com | http://securityresponse.symantec.com | | (210) 403-7833 | (210) 403-7895 Fax | | | | |---------+----------------------------------------------> | | | Tknogeek@AOL.COM | | | | Sent by: | | | | owner-cve-editorial-board-list@list| | | | s.mitre.org | | | | | | | | | | | | 02/18/2002 09:50 PM | | | | | | |---------+----------------------------------------------> | >---------------------------------------------------------------------------------------------------------------------| | | | | | To: cve-editorial-board-list@lists.mitre.org | | | cc: | | | Subject: Re: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities) | | >---------------------------------------------------------------------------------------------------------------------| | | | | | Pascal and Steve, | My take on this is a practical one as always. If a vendor chooses to | release something vague, they are openly admitting that they have a | problem that requires patching. The vendor admits that an exposure or | vulnerability exists. While I wish we lived in a world of perfect | information that is not the case. I think CD:VAGUE will help us deal | with that imperfection provided we don't overuse it. | | I think it's important to remember that one of the primary uses of CVE is | to help get systems properly secured. In the cases where a vendor says | "You need to install this patch", I think that warrants a CVE entry...even | if it | is a little vague. | | If we start assigning VAGUE to unconfirmed items, it could get a | little messy. Maybe we need to specify in the definition that VAGUE | specifically refers to vague VENDOR confirmed reports rather than vague | in general. | | I'm sure if we beat this to deal long enough we can come up with a | metric for vagueness too. :-) | | Scott | | Scott Lawler, CISSP | Veridian -- "It is seldom that liberty of any kind is lost all at once." -Hume
|
||||
