Re: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)

[Adam Shostack <adam@HOMEPORT.ORG>]

On Tue, Feb 19, 2002 at 10:06:12AM -0600, Mike Prosser wrote:
| I agree with Scott on this one.
|  If a vendor discovers the problem on their own (it does happen you know!)
| after release or a customer notifies them of the issue, the vendor isn't
| going to release the technical issues of the problem, just a brief
| description, maybe with a risk level of the issue and a patch or updated
| version to fix it.
| And that is pretty much what a client is concerned with....am I vulnerable?
| How do I fix it so I am not?  So I don't think we will ever get away from
| the vagueness.  It is frustrating from a research and technical aspect, but
| something that we have to live with.

I'm not sure that the existance of a vendor patch should be accepted
as addressing these issues; see the recent Internet explorer roll-up
patch.  From a practical level, we may need to work with it today, but
I think we may want to encourage vendors to behave better than this.
Can we use CD-VAUGE as a pressure point?



| Scott's suggestion that the VAGUE CD should specifically refer to issues
| confirmed by the Vendor but not further detailed is a good idea.

Agreed; as I said in my other note, we may want a different CD to
cover issues partially reported by reputable sources.

Adam


| -Mike Prosser
| Research Technical Lead, SIRC
| Symantec Security Response
| Symantec Corporation
|
| mprosser@symantec.com
| http://securityresponse.symantec.com
|
| (210) 403-7833
| (210) 403-7895 Fax
|
|
|
| |---------+---------------------------------------------->
| |         |           Tknogeek@AOL.COM                   |
| |         |           Sent by:                           |
| |         |           owner-cve-editorial-board-list@list|
| |         |           s.mitre.org                        |
| |         |                                              |
| |         |                                              |
| |         |           02/18/2002 09:50 PM                |
| |         |                                              |
| |---------+---------------------------------------------->
|   >---------------------------------------------------------------------------------------------------------------------|
|   |                                                                                                                     |
|   |       To:       cve-editorial-board-list@lists.mitre.org                                                            |
|   |       cc:                                                                                                           |
|   |       Subject:  Re: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)                                  |
|   >---------------------------------------------------------------------------------------------------------------------|
|
|
|
|
| Pascal and Steve,
| My take on this is a practical one as always. If a vendor chooses to
| release something vague, they are openly admitting that they have a
| problem that requires patching.  The vendor admits that an exposure or
| vulnerability exists.  While I wish we lived in a world of perfect
| information that is not the case.  I think CD:VAGUE will help us deal
| with that imperfection provided we don't overuse it.
|
| I think it's important to remember that one of the primary uses of CVE is
| to help get systems properly secured.   In the cases where a vendor says
| "You need to install this patch", I think that warrants a CVE entry...even
| if it
| is a little vague.
|
| If we start assigning VAGUE to unconfirmed items, it could get a
| little messy.  Maybe we need to specify in the definition that VAGUE
| specifically refers to vague VENDOR confirmed reports rather than vague
| in general.
|
| I'm sure if we beat this to deal long enough we can come up with a
| metric for vagueness too.  :-)
|
| Scott
|
| Scott Lawler, CISSP
| Veridian

--
"It is seldom that liberty of any kind is lost all at once."
					               -Hume