[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)



Adam Shostack said:

>I'm not sure that the existance of a vendor patch should be accepted
>as addressing these issues; see the recent Internet explorer roll-up
>patch.

Note that MITRE is very careful about assuming that an advisory fixes
a particular issue.  The Tao of CVE Refinement, which I quote heavily
to the content team, asks: "If someone claims acknowledgement and the
vendor says nothing or speaks in riddles, then has the problem been
fixed?"  Basically, without clear evidence that the vendor is
addressing a specific issue, we don't add it as a reference to a
candidate/entry that it might be addressing.  Depending on how
circumstantial the evidence, we may create a separate item for it and
note the possible duplication in the analysis section, or I might cast
a REVIEWING vote on the possible duplicate candidate and note the
vague reference.

A great example of this is the classic phrase "fixed security bug,"
which you find scattered throughout change logs from a variety of open
and closed source, commercial and freeware vendors.  Without at least
a closely-correlated date and some credits to the person who announced
the problem to Bugtraq, we normally don't call this sufficient
acknowledgement, and the "vendor acknowledgement" data field has an
"unknown vague" value in it, which is available to voters.

There are about 15 candidates whose acknowledgement is "unknown
vague," but there are about 100 candidates whose acknowledgement is
"unknown discloser-claimed" - where the person announcing the problem
says that the vendor fixed the issue and/or provided a patch, but
there's no clear public acknowledgement from the vendor.

- Steve

Page Last Updated or Reviewed: May 22, 2007