[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [VOTEPRI] 12 high priority candidates as of 5/1/2000

* Steven M. Christey (coley@LINUS.MITRE.ORG) [000502 19:07]:
> Elias Levy and Bill Wall brought up a number of different points
> related to CAN-1999-0031, a Javascript bug.  Below is the updated
> voting information for this candidate.  It touches on a number of
> issues which I think are important for CVE, so I am emphasizing it
> more than I usually would for a legacy candidate.
> - Steve
> =================================
> Candidate: CAN-1999-0031
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 19990728
> Assigned: 19990607
> Category: SF
> Reference: CERT:CA-97.20.javascript
> JavaScript allows remote attackers to monitor a user's web
> activities.
> INFERRED ACTION: CAN-1999-0031 ACCEPT (3 accept, 1 ack, 0 review)
> Current Votes:
>    ACCEPT(2) Wall, Cole
>    MODIFY(2) Christey, Levy
>    NOOP(1) Northcutt
> Comments:
>  Christey> The CERT advisory is at http://www.cert.org/advisories/CA-97.20.javascript.html
>  Christey>
>  Christey> ADDREF HP:HPSBUX9707-065
>  Christey> http://www.codetalker.com/advisories/vendor/hp/hpsbux9707-065.html
>  Christey>
>  Christey> According to the CERT advisory, this issue affects Internet
>  Christey> Explorer 3.x and 4.x, and Netscape 2.x, 3.x, and 4.x.
>  Christey> Include this in the description.
>  Levy> Need a better description of the vulnerability there were several JS
>  Levy> vulnerabilities in the same time frame that had similar results but
>  Levy> were porly documented. This, the Bell Labs vulnerability, was one of them.
>  Levy> This is one of the other ones:
>  Levy> http://www.securityfocus.com/templates/archive.pike?list=1&msg=c%3dDE%25a%3dDBP%25p%3dSCN%25l%3dMCHH9EEA-970711140700Z-21724@de-mch-he01a.exchange.pn.siemens.de
>  Wall> Add Internet Explorer 5 also.  See
>  Wall> http://www.microsoft.com/technet/security/bulletin/ms99-043.asp which allows
>  Wall> JavaScript to read files on other computers.
>  Christey> MS:MS99-043 is already handled by CVE-1999-0793.  This one is
>  Christey> different because IE 3.x and 4.x are affected; for
>  Christey> CVE-1999-0793, it affected 4.x and 5.x.  Also, this one
>  Christey> just allows someone to read cookies, HTML form data, and
>  Christey> what URLs were visited.  CVE-1999-0793 allows the attacker
>  Christey> to read files on the target's computer.  Thus this one is
>  Christey> different than CVE-1999-0793, and MS:MS99-043 should not be
>  Christey> added.
>  Christey>
>  Christey> The reference that Elias provided describes 2 bugs, neither
>  Christey> of which is the "Bell Labs" bug, i.e. this candidate (just to
>  Christey> confirm what Elias said; the CERT advisory explicitly thanks
>  Christey> Bell Labs). The first bug *sounds* a lot like this candidate, but
>  Christey> didn't need Javascript.  Refer to this as the "Danish bug"
>  Christey> since it was "discovered by a Danish IS consultant company."
>  Christey>
>  Christey> The second bug describes the same symptoms as CVE-1999-0793.
>  Christey> However, this reference only describes the problem for
>  Christey> Netscape Nagivator; CVE-1999-0793 only mentions IE.
>  Christey> Thus it's possible that the problem was identified and fixed
>  Christey> for Netscape, and later "rediscovered" by Microsoft and
>  Christey> addressed for Internet Explorer.  (The CD:DISCOVERY-DATE content
>  Christey> decision, when reviewed by the Board, will dictate what to
>  Christey> do in these sorts of cases).  But then again, they could be
>  Christey> different bugs entirely, but they just happen to have the same
>  Christey> symptoms.  If the bug is more in the Javascript model than in
>  Christey> the implementation, then maybe CD:SF-CODEBASE won't apply.
>  Christey> We might be able to roll this second bug in with
>  Christey> CVE-1999-0793; thus we may need to REASSESS CVE-1999-0793 in
>  Christey> the future.
>  Christey>
>  Christey> It is possible that this second bug is the same as the
>  Christey> "Singapore privacy bug" described here:
>  Christey> http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-28&msg=Pine.SUN.3.94.970728112219.25473B-100000@dfw.dfw.net
>  Christey> http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-22&msg=Pine.SUN.3.94.970726193056.27668B-100000@dfw.dfw.net
>  Christey>
>  Christey> These posts were on July 22 and 28.  Singapore is dated after
>  Christey> the initial CERT advisory and references LiveConnect, which
>  Christey> "enables communication between JavaScript and Java applets."
>  Christey> Kuo Chiang, the person referenced in the above posts as the
>  Christey> discovered, sent a followup a week later on August 1:
>  Christey>
>  Christey> http://marc.theaimsgroup.com/?l=bugtraq&m=87602746719458&w=2
>  Christey> But this is merely a clarification of the earlier problem, as
>  Christey> his post includes a reference to a ZDNet article written
>  Christey> on July 25.
>  Christey>
>  Christey> The poster referred to by Elias, Matthias Dominick, sent a
>  Christey> followup to the CERT advisory saying that the Danish bug
>  Christey> appeared to be fixed, but the Bell Labs bug wasn't.
>  Christey>
>  Christey> http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&msg=c%3dDE%25a%3dDBP%25p%3dSCN%25l%3dMCHH9EEA-970710145437Z-20375@de-mch-he01a.exchange.pn.siemens.de
>  Christey>
>  Christey> Two legacy candidates will eventually be created to handle
>  Christey> these 2 other bugs, i.e. Singapore and Danish.
>  Christey>
>  Christey> In the meantime, the description for this one can be extended
>  Christey> to mention the Bell Labs bug and include pointers back to some
>  Christey> of the related posts.
>  Christey>
>  Christey> If this mess isn't an argument for a naming standard, I don't
>  Christey> know what is :-) :-)  On a more serious note, this is an
>  Christey> indicator of why it may be important for CVE to provide a way
>  Christey> of distinguishing between different bugs discovered in the
>  Christey> same software at around the same time (CD:SF-LOC will address this,
>  Christey> and is one of the first CD's we will discuss when I reintroduce
>  Christey> them).
> >ACCEPT - voter accepts the candidate as proposed
> >NOOP - voter has no opinion on the candidate
> >MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
> >REVIEWING - voter is reviewing/researching the candidate, or needs more info
> >RECAST - candidate must be significantly modified, e.g. split or merged
> >REJECT - candidate is "not a vulnerability", or a duplicate, etc.

Add "Bell Labs" to the description or name.

Elias Levy

Page Last Updated or Reviewed: May 22, 2007