[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Microsoft CNA assignment issues for April


Microsoft has assigned a single CVE to cover "all April Adobe Flash updates" apparently:


   April Flash Security Update  2017-3447

Which links to https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-3447.

Further, there is a single ID to cover "defense-in-depth" updates for a product:

   Defense-in-Depth Update for Microsoft Office         2017-2605

Which links to

I am fairly confident that 2017-3447 is not a proper assignment and does not follow the CNA guidelines, about assigning IDs to another vendor's products (and that vendor happens to be a CNA themselves). We've seen this done in the past with Oracle as well.

I'd also be surprised if a single ID assignment for multiple defense-in-depth enhancements meets the criteria of a CVE ID, since DiD enhancements generally do not mean there is a crossing of privilege boundaries, and therefore not vulnerabilities.

Could Microsoft and MITRE chime in on these please?


Page Last Updated or Reviewed: April 20, 2017