RE: Microsoft CNA assignment issues for April

[jericho <jericho@attrition.org>]

Microsoft, any update?

RBS has received one customer support ticket asking about the 2017-3447 
assignment, suggesting that we made a mistake. Obviously, I find that 
offensive given that I was likely the first to point out Microsoft's 
mistake in this assignment.

Between the 'rollup' assignment, Microsoft likely stepping on RedHat's 
pool to assign the 2017-2605 ID, and entirely changing the way 
Microsoft 
delivers advisory information, which made many of your customers 
scramble... I believe it is pretty clear where the errors originate.

This is very clearly a big issue in the world of disclosure, 
specifically 
related to CVE ID assignment. This has a real-world impact on multiple 
companies, two that I am directly involved in, and a third via support 
ticket. I am sure I will wake up to additional support tickets via one 
of 
those roles, essentially asking the same question re: 2017-2605 and/or 
2017-3447.

Brian


On Tue, 11 Apr 2017, Elizabeth Scott wrote:

: There is an error on the page and we are working to resolve that as 
soon as possible
: 
: Thanks,
:   Elizabeth
: 
: -----Original Message-----
: From: owner-cve-editorial-board-list@lists.mitre.org 
[mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
jericho
: Sent: Tuesday, April 11, 2017 11:35 AM
: To: CVE Editorial Board <cve-editorial-board-list@lists.mitre.org>
: Subject: Microsoft CNA assignment issues for April
: Importance: High
: 
: All,
: 
: Microsoft has assigned a single CVE to cover "all April Adobe Flash 
updates" apparently:
: 
: 
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Facknowledgments&data=02%7C01%7Cbethsco%40MICROSOFT.COM%7Cc1b35f6aa74149f6e0e608d4810b0769%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275331747906495&sdata=DnwwK%2BOpQGzS%2F17hjuq3h9xumC7unQQ3qXkhhz0Zm6k%3D&reserved=0
: 
:     April Flash Security Update       2017-3447
: 
: Which links to
: 
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3D2017-3447&data=02%7C01%7Cbethsco%40MICROSOFT.COM%7Cc1b35f6aa74149f6e0e608d4810b0769%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275331747906495&sdata=Yd0K6p2rV4xc92SlYIWG3IMSbjNY1Cs6JHwVubeTLBM%3D&reserved=0.
: 
: Further, there is a single ID to cover "defense-in-depth" updates for 
a
: product:
: 
:     Defense-in-Depth Update for Microsoft Office      2017-2605
: 
: Which links to
: 
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3D2017-2605&data=02%7C01%7Cbethsco%40MICROSOFT.COM%7Cc1b35f6aa74149f6e0e608d4810b0769%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275331747906495&sdata=J2OKKHb77Etk4i8eu%2BCQ7lQsNqH9EpgXwSPRAUvNdP0%3D&reserved=0
: 
: I am fairly confident that 2017-3447 is not a proper assignment and 
does not follow the CNA guidelines, about assigning IDs to another 
vendor's products (and that vendor happens to be a CNA themselves). 
We've seen this done in the past with Oracle as well.
: 
: I'd also be surprised if a single ID assignment for multiple 
defense-in-depth enhancements meets the criteria of a CVE ID, since DiD 
enhancements generally do not mean there is a crossing of privilege 
boundaries, and therefore not vulnerabilities.
: 
: Could Microsoft and MITRE chime in on these please?
: 
: Brian
: