[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Hidden Microsoft CVEs And No Answers



Last week I noticed Microsoft fixed three vulnerabilities with CVEs in ChakraCore. This is part of Chakra; the scripting engine used in Microsoft Edge.

These are the commits:
https://github.com/Microsoft/ChakraCore/commit/9da019424601325a6e95e6be0fa03d7d21d0b517
https://github.com/Microsoft/ChakraCore/commit/402f3d967c0a905ec5b9ca9c240783d3f2c15724
https://github.com/Microsoft/ChakraCore/commit/065b7978c40ded35c356ced6cd922a40156c9c46

I noticed the three CVEs were not mentioned in any of the recent Microsoft security bulletins even if MS17-007 addressed Microsoft Edge vulnerabilities.

I reached out to MSRC for clarification to determine if these do not impact MS Edge, if Microsoft forgot to patch MS Edge, or simply forgot to add the three CVEs to their security bulletin.

It has now been 6 business days, and I have still not received an answer. Historically, Microsoft have otherwise been good at responding quickly to such requests.

If Microsoft forgot to add these CVEs to MS17-007, it would be a simple matter of quickly updating the bulletin. If they forgot to include the fixes in MS Edge, they clearly have a much bigger problem (maybe that's the reason for their radio silence).

If these issues don't affect MS Edge, it seems CVEs should not be assigned by Microsoft, unless they inform about the assignments. Semi-hiding them in commits is, obviously, problematic, as they then won't be covered. Case in point: They are all still "RESERVED".

Either way, it's concerning that Microsoft first "hides" three CVEs within commit messages and next can't even respond to a CVE Board member in a timely manner when asking about the assignments.

Considering Microsoft not only is a CNA, but also represented on this board, it seems they need to work on improving their internal processes.

I'd appreciate if Microsoft could shed some light on this.

/Carsten

Page Last Updated or Reviewed: March 27, 2017