|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Microsoft CNA assignment issues for April
- To: jericho <jericho@attrition.org>, CVE Editorial Board <cve-editorial-board-list@lists.mitre.org>
- Subject: RE: Microsoft CNA assignment issues for April
- From: Elizabeth Scott <bethsco@microsoft.com>
- Date: Tue, 11 Apr 2017 19:27:17 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=fail action=oreject header.from=microsoft.com;
- Delivery-date: Tue Apr 11 15:36:31 2017
- In-reply-to: <alpine.LNX.2.00.1704111328340.19881@forced.attrition.org>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- Msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Ref=https://api.informationprotection.azure.com/api/72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetBy=bethsco@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2017-04-11T12:27:15.5330202-07:00; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
- References: <alpine.LNX.2.00.1704111328340.19881@forced.attrition.org>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- Thread-index: AQHSsvPl9JNwrhmXHkOteBLyQt00jKHAjTYA
- Thread-topic: Microsoft CNA assignment issues for April
There is an error on the page and we are working to resolve that as soon as possible Thanks, Elizabeth -----Original Message----- From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of jericho Sent: Tuesday, April 11, 2017 11:35 AM To: CVE Editorial Board <cve-editorial-board-list@lists.mitre.org> Subject: Microsoft CNA assignment issues for April Importance: High All, Microsoft has assigned a single CVE to cover "all April Adobe Flash updates" apparently: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Facknowledgments&data=02%7C01%7Cbethsco%40MICROSOFT.COM%7Cc1b35f6aa74149f6e0e608d4810b0769%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275331747906495&sdata=DnwwK%2BOpQGzS%2F17hjuq3h9xumC7unQQ3qXkhhz0Zm6k%3D&reserved=0 April Flash Security Update 2017-3447 Which links to https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3D2017-3447&data=02%7C01%7Cbethsco%40MICROSOFT.COM%7Cc1b35f6aa74149f6e0e608d4810b0769%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275331747906495&sdata=Yd0K6p2rV4xc92SlYIWG3IMSbjNY1Cs6JHwVubeTLBM%3D&reserved=0. Further, there is a single ID to cover "defense-in-depth" updates for a product: Defense-in-Depth Update for Microsoft Office 2017-2605 Which links to https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3D2017-2605&data=02%7C01%7Cbethsco%40MICROSOFT.COM%7Cc1b35f6aa74149f6e0e608d4810b0769%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275331747906495&sdata=J2OKKHb77Etk4i8eu%2BCQ7lQsNqH9EpgXwSPRAUvNdP0%3D&reserved=0 I am fairly confident that 2017-3447 is not a proper assignment and does not follow the CNA guidelines, about assigning IDs to another vendor's products (and that vendor happens to be a CNA themselves). We've seen this done in the past with Oracle as well. I'd also be surprised if a single ID assignment for multiple defense-in-depth enhancements meets the criteria of a CVE ID, since DiD enhancements generally do not mean there is a crossing of privilege boundaries, and therefore not vulnerabilities. Could Microsoft and MITRE chime in on these please? Brian
- Follow-Ups:
- RE: Microsoft CNA assignment issues for April
- From: jericho <jericho@attrition.org>
- RE: Microsoft CNA assignment issues for April
- References:
- Microsoft CNA assignment issues for April
- From: jericho <jericho@attrition.org>
- Microsoft CNA assignment issues for April
- Prev by Date: Microsoft CNA assignment issues for April
- Next by Date: CVE Collision in Microsoft advisory today w/ prior Jenkins disclosure (fwd)
- Previous by thread: Microsoft CNA assignment issues for April
- Next by thread: RE: Microsoft CNA assignment issues for April
- Index(es):