[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Microsoft CNA assignment issues for April
- To: CVE Editorial Board <cve-editorial-board-list@lists.mitre.org>
- Subject: Microsoft CNA assignment issues for April
- From: jericho <jericho@attrition.org>
- Date: Tue, 11 Apr 2017 13:34:35 -0500
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;
- Delivery-date: Tue Apr 11 14:53:05 2017
- Importance: high
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- User-agent: Alpine 2.00 (LNX 1167 2008-08-23)
All,Microsoft has assigned a single CVE to cover "all April Adobe Flash updates" apparently:
https://portal.msrc.microsoft.com/en-us/security-guidance/acknowledgments April Flash Security Update 2017-3447Which links to https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-3447.
Further, there is a single ID to cover "defense-in-depth" updates for a product:
Defense-in-Depth Update for Microsoft Office 2017-2605 Which links to https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-2605I am fairly confident that 2017-3447 is not a proper assignment and does not follow the CNA guidelines, about assigning IDs to another vendor's products (and that vendor happens to be a CNA themselves). We've seen this done in the past with Oracle as well.
I'd also be surprised if a single ID assignment for multiple defense-in-depth enhancements meets the criteria of a CVE ID, since DiD enhancements generally do not mean there is a crossing of privilege boundaries, and therefore not vulnerabilities.
Could Microsoft and MITRE chime in on these please? Brian
- Follow-Ups:
- RE: Microsoft CNA assignment issues for April
- From: Elizabeth Scott <bethsco@microsoft.com>
- Re: Microsoft CNA assignment issues for April
- From: jericho <jericho@attrition.org>
- RE: Microsoft CNA assignment issues for April
- Prev by Date: Re: HP's policy on CVE assignments
- Next by Date: RE: Microsoft CNA assignment issues for April
- Previous by thread: Re: HP's policy on CVE assignments
- Next by thread: RE: Microsoft CNA assignment issues for April
- Index(es):
