|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [VOTEPRI] 12 high priority candidates as of 5/1/2000
- To: "Steven M. Christey" <coley@linus.mitre.org>
- Subject: Re: [VOTEPRI] 12 high priority candidates as of 5/1/2000
- From: aleph1@securityfocus.com
- Date: Wed, 3 May 2000 11:52:11 -0700
- Cc: cve-editorial-board-list@lists.mitre.org
- Delivery-Date: Wed May 3 14:52:38 2000
- In-Reply-To: <200005021907.PAA10052@basie.mitre.org>; from coley@LINUS.MITRE.ORG on Tue, May 02, 2000 at 03:07:03PM -0400
- References: <200005021907.PAA10052@basie.mitre.org>
- Sender: owner-cve-editorial-board-list@lists.mitre.org
* Steven M. Christey (coley@LINUS.MITRE.ORG) [000502 19:07]: > Elias Levy and Bill Wall brought up a number of different points > related to CAN-1999-0031, a Javascript bug. Below is the updated > voting information for this candidate. It touches on a number of > issues which I think are important for CVE, so I am emphasizing it > more than I usually would for a legacy candidate. > > - Steve > > > ================================= > Candidate: CAN-1999-0031 > Published: > Final-Decision: > Interim-Decision: > Modified: > Proposed: 19990728 > Assigned: 19990607 > Category: SF > Reference: CERT:CA-97.20.javascript > > JavaScript allows remote attackers to monitor a user's web > activities. > > INFERRED ACTION: CAN-1999-0031 ACCEPT (3 accept, 1 ack, 0 review) > > Current Votes: > ACCEPT(2) Wall, Cole > MODIFY(2) Christey, Levy > NOOP(1) Northcutt > > Comments: > Christey> The CERT advisory is at http://www.cert.org/advisories/CA-97.20.javascript.html > Christey> > Christey> ADDREF HP:HPSBUX9707-065 > Christey> http://www.codetalker.com/advisories/vendor/hp/hpsbux9707-065.html > Christey> > Christey> According to the CERT advisory, this issue affects Internet > Christey> Explorer 3.x and 4.x, and Netscape 2.x, 3.x, and 4.x. > Christey> Include this in the description. > Levy> Need a better description of the vulnerability there were several JS > Levy> vulnerabilities in the same time frame that had similar results but > Levy> were porly documented. This, the Bell Labs vulnerability, was one of them. > Levy> This is one of the other ones: > Levy> http://www.securityfocus.com/templates/archive.pike?list=1&msg=c%3dDE%25a%3dDBP%25p%3dSCN%25l%3dMCHH9EEA-970711140700Z-21724@de-mch-he01a.exchange.pn.siemens.de > Wall> Add Internet Explorer 5 also. See > Wall> http://www.microsoft.com/technet/security/bulletin/ms99-043.asp which allows > Wall> JavaScript to read files on other computers. > Christey> MS:MS99-043 is already handled by CVE-1999-0793. This one is > Christey> different because IE 3.x and 4.x are affected; for > Christey> CVE-1999-0793, it affected 4.x and 5.x. Also, this one > Christey> just allows someone to read cookies, HTML form data, and > Christey> what URLs were visited. CVE-1999-0793 allows the attacker > Christey> to read files on the target's computer. Thus this one is > Christey> different than CVE-1999-0793, and MS:MS99-043 should not be > Christey> added. > Christey> > Christey> The reference that Elias provided describes 2 bugs, neither > Christey> of which is the "Bell Labs" bug, i.e. this candidate (just to > Christey> confirm what Elias said; the CERT advisory explicitly thanks > Christey> Bell Labs). The first bug *sounds* a lot like this candidate, but > Christey> didn't need Javascript. Refer to this as the "Danish bug" > Christey> since it was "discovered by a Danish IS consultant company." > Christey> > Christey> The second bug describes the same symptoms as CVE-1999-0793. > Christey> However, this reference only describes the problem for > Christey> Netscape Nagivator; CVE-1999-0793 only mentions IE. > Christey> Thus it's possible that the problem was identified and fixed > Christey> for Netscape, and later "rediscovered" by Microsoft and > Christey> addressed for Internet Explorer. (The CD:DISCOVERY-DATE content > Christey> decision, when reviewed by the Board, will dictate what to > Christey> do in these sorts of cases). But then again, they could be > Christey> different bugs entirely, but they just happen to have the same > Christey> symptoms. If the bug is more in the Javascript model than in > Christey> the implementation, then maybe CD:SF-CODEBASE won't apply. > Christey> We might be able to roll this second bug in with > Christey> CVE-1999-0793; thus we may need to REASSESS CVE-1999-0793 in > Christey> the future. > Christey> > Christey> It is possible that this second bug is the same as the > Christey> "Singapore privacy bug" described here: > Christey> http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-28&msg=Pine.SUN.3.94.970728112219.25473B-100000@dfw.dfw.net > Christey> http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-22&msg=Pine.SUN.3.94.970726193056.27668B-100000@dfw.dfw.net > Christey> > Christey> These posts were on July 22 and 28. Singapore is dated after > Christey> the initial CERT advisory and references LiveConnect, which > Christey> "enables communication between JavaScript and Java applets." > Christey> Kuo Chiang, the person referenced in the above posts as the > Christey> discovered, sent a followup a week later on August 1: > Christey> > Christey> http://marc.theaimsgroup.com/?l=bugtraq&m=87602746719458&w=2 > Christey> But this is merely a clarification of the earlier problem, as > Christey> his post includes a reference to a ZDNet article written > Christey> on July 25. > Christey> > Christey> The poster referred to by Elias, Matthias Dominick, sent a > Christey> followup to the CERT advisory saying that the Danish bug > Christey> appeared to be fixed, but the Bell Labs bug wasn't. > Christey> > Christey> http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&msg=c%3dDE%25a%3dDBP%25p%3dSCN%25l%3dMCHH9EEA-970710145437Z-20375@de-mch-he01a.exchange.pn.siemens.de > Christey> > Christey> Two legacy candidates will eventually be created to handle > Christey> these 2 other bugs, i.e. Singapore and Danish. > Christey> > Christey> In the meantime, the description for this one can be extended > Christey> to mention the Bell Labs bug and include pointers back to some > Christey> of the related posts. > Christey> > Christey> If this mess isn't an argument for a naming standard, I don't > Christey> know what is :-) :-) On a more serious note, this is an > Christey> indicator of why it may be important for CVE to provide a way > Christey> of distinguishing between different bugs discovered in the > Christey> same software at around the same time (CD:SF-LOC will address this, > Christey> and is one of the first CD's we will discuss when I reintroduce > Christey> them). > > > >ACCEPT - voter accepts the candidate as proposed > >NOOP - voter has no opinion on the candidate > >MODIFY - voter wants to change some MINOR detail (e.g. reference/description) > >REVIEWING - voter is reviewing/researching the candidate, or needs more info > >RECAST - candidate must be significantly modified, e.g. split or merged > >REJECT - candidate is "not a vulnerability", or a duplicate, etc. > > VOTE: MODIFY Add "Bell Labs" to the description or name. -- Elias Levy SecurityFocus.com http://www.securityfocus.com/
- References:
- Re: [VOTEPRI] 12 high priority candidates as of 5/1/2000
- From: "Steven M. Christey" <coley@linus.mitre.org>
- Re: [VOTEPRI] 12 high priority candidates as of 5/1/2000
- Prev by Date: Re: Cybercrime treaty
- Next by Date: RE: Cybercrime treaty
- Prev by thread: Re: [VOTEPRI] 12 high priority candidates as of 5/1/2000
- Next by thread: [CVEPRI] Upcoming Editorial Board tasks for CVE content
- Index(es):