[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Microsoft CNA assignment issues for April

To: jericho <jericho@attrition.org>, CVE Editorial Board <cve-editorial-board-list@lists.mitre.org>
Subject: RE: Microsoft CNA assignment issues for April
From: Elizabeth Scott <bethsco@microsoft.com>
Date: Tue, 11 Apr 2017 19:27:17 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=fail action=oreject header.from=microsoft.com;
Delivery-date: Tue Apr 11 15:36:31 2017
In-reply-to: <alpine.LNX.2.00.1704111328340.19881@forced.attrition.org>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
Msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Ref=https://api.informationprotection.azure.com/api/72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetBy=bethsco@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2017-04-11T12:27:15.5330202-07:00; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
References: <alpine.LNX.2.00.1704111328340.19881@forced.attrition.org>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2
Thread-index: AQHSsvPl9JNwrhmXHkOteBLyQt00jKHAjTYA
Thread-topic: Microsoft CNA assignment issues for April

There is an error on the page and we are working to resolve that as 
soon as possible

Thanks,
  Elizabeth

-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org 
[mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
jericho
Sent: Tuesday, April 11, 2017 11:35 AM
To: CVE Editorial Board <cve-editorial-board-list@lists.mitre.org>
Subject: Microsoft CNA assignment issues for April
Importance: High

All,

Microsoft has assigned a single CVE to cover "all April Adobe Flash 
updates" apparently:

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Facknowledgments&data=02%7C01%7Cbethsco%40MICROSOFT.COM%7Cc1b35f6aa74149f6e0e608d4810b0769%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275331747906495&sdata=DnwwK%2BOpQGzS%2F17hjuq3h9xumC7unQQ3qXkhhz0Zm6k%3D&reserved=0

    April Flash Security Update         2017-3447

Which links to
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3D2017-3447&data=02%7C01%7Cbethsco%40MICROSOFT.COM%7Cc1b35f6aa74149f6e0e608d4810b0769%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275331747906495&sdata=Yd0K6p2rV4xc92SlYIWG3IMSbjNY1Cs6JHwVubeTLBM%3D&reserved=0.

Further, there is a single ID to cover "defense-in-depth" updates for a
product:

    Defense-in-Depth Update for Microsoft Office        2017-2605

Which links to
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3D2017-2605&data=02%7C01%7Cbethsco%40MICROSOFT.COM%7Cc1b35f6aa74149f6e0e608d4810b0769%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275331747906495&sdata=J2OKKHb77Etk4i8eu%2BCQ7lQsNqH9EpgXwSPRAUvNdP0%3D&reserved=0

I am fairly confident that 2017-3447 is not a proper assignment and 
does not follow the CNA guidelines, about assigning IDs to another 
vendor's products (and that vendor happens to be a CNA themselves). 
We've seen this done in the past with Oracle as well.

I'd also be surprised if a single ID assignment for multiple 
defense-in-depth enhancements meets the criteria of a CVE ID, since DiD 
enhancements generally do not mean there is a crossing of privilege 
boundaries, and therefore not vulnerabilities.

Could Microsoft and MITRE chime in on these please?

Brian

Follow-Ups:
- RE: Microsoft CNA assignment issues for April
  - From: jericho <jericho@attrition.org>

References:
- Microsoft CNA assignment issues for April
  - From: jericho <jericho@attrition.org>

Prev by Date: Microsoft CNA assignment issues for April
Next by Date: CVE Collision in Microsoft advisory today w/ prior Jenkins disclosure (fwd)
Previous by thread: Microsoft CNA assignment issues for April
Next by thread: RE: Microsoft CNA assignment issues for April
Index(es):
- Date
- Thread