[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Hidden Microsoft CVEs And No Answers



Sorry for the delay  Adding Simon Pope

 

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Coffin, Chris
Sent: Monday, March 27, 2017 9:14 AM
To: Carsten Eiram <che@riskbasedsecurity.com>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: Hidden Microsoft CVEs And No Answers

 

Carsten,

 

Thanks for the investigation and heads-up regarding these issues. We will also check with our Microsoft CNA contacts directly and see what we can find out.

 

Regards,

 

Chris Coffin

The CVE Team

 

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Carsten Eiram
Sent: Saturday, March 25, 2017 2:44 AM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Hidden Microsoft CVEs And No Answers

 

Last week I noticed Microsoft fixed three vulnerabilities with CVEs in ChakraCore. This is part of Chakra; the scripting engine used in Microsoft Edge.

 

These are the commits:

 

I noticed the three CVEs were not mentioned in any of the recent Microsoft security bulletins even if MS17-007 addressed Microsoft Edge vulnerabilities.

 

I reached out to MSRC for clarification to determine if these do not impact MS Edge, if Microsoft forgot to patch MS Edge, or simply forgot to add the three CVEs to their security bulletin.

 

It has now been 6 business days, and I have still not received an answer. Historically, Microsoft have otherwise been good at responding quickly to such requests.

 

If Microsoft forgot to add these CVEs to MS17-007, it would be a simple matter of quickly updating the bulletin. If they forgot to include the fixes in MS Edge, they clearly have a much bigger problem (maybe that's the reason for their radio silence).

 

If these issues don't affect MS Edge, it seems CVEs should not be assigned by Microsoft, unless they inform about the assignments. Semi-hiding them in commits is, obviously, problematic, as they then won't be covered. Case in point: They are all still "RESERVED".

 

Either way, it's concerning that Microsoft first "hides" three CVEs within commit messages and next can't even respond to a CVE Board member in a timely manner when asking about the assignments.

 

Considering Microsoft not only is a CNA, but also represented on this board, it seems they need to work on improving their internal processes.

 

I'd appreciate if Microsoft could shed some light on this.

 

/Carsten


Page Last Updated or Reviewed: March 30, 2017