Hidden Microsoft CVEs And No Answers

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Hidden Microsoft CVEs And No Answers

Carsten Eiram
Last week I noticed Microsoft fixed three vulnerabilities with CVEs in ChakraCore. This is part of Chakra; the scripting engine used in Microsoft Edge.

These are the commits:

I noticed the three CVEs were not mentioned in any of the recent Microsoft security bulletins even if MS17-007 addressed Microsoft Edge vulnerabilities.

I reached out to MSRC for clarification to determine if these do not impact MS Edge, if Microsoft forgot to patch MS Edge, or simply forgot to add the three CVEs to their security bulletin.

It has now been 6 business days, and I have still not received an answer. Historically, Microsoft have otherwise been good at responding quickly to such requests.

If Microsoft forgot to add these CVEs to MS17-007, it would be a simple matter of quickly updating the bulletin. If they forgot to include the fixes in MS Edge, they clearly have a much bigger problem (maybe that's the reason for their radio silence).

If these issues don't affect MS Edge, it seems CVEs should not be assigned by Microsoft, unless they inform about the assignments. Semi-hiding them in commits is, obviously, problematic, as they then won't be covered. Case in point: They are all still "RESERVED".

Either way, it's concerning that Microsoft first "hides" three CVEs within commit messages and next can't even respond to a CVE Board member in a timely manner when asking about the assignments.

Considering Microsoft not only is a CNA, but also represented on this board, it seems they need to work on improving their internal processes.

I'd appreciate if Microsoft could shed some light on this.

/Carsten
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Hidden Microsoft CVEs And No Answers

jericho
On Sat, 25 Mar 2017, Carsten Eiram wrote:

: It has now been 6 business days, and I have still not received an
: answer. Historically, Microsoft have otherwise been good at responding
: quickly to such requests.

The last 45 days of dealing with Microsoft has been extremely
disappointing for me as well. When contacting them twice about random CVEs
they assigned in 2016 and then seemingly removed from advisories, and then
when questioning the affected products in Jan 17 patch releases, answers
are not forthcoming. It is taking them days to ack the mail, then weeks to
follow-up. In some cases it was a 4+ week process to resolve the
questions. Right now, I still have two requests outstanding, one CVE
related.

: I'd appreciate if Microsoft could shed some light on this.

As Carsten notes, this is a turnaround from how responsive Microsoft used
to be even mid to late last year. Something has changed inside MSRC
clearly.

.b
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Hidden Microsoft CVEs And No Answers

Coffin, Chris
In reply to this post by Carsten Eiram

Carsten,

 

Thanks for the investigation and heads-up regarding these issues. We will also check with our Microsoft CNA contacts directly and see what we can find out.

 

Regards,

 

Chris Coffin

The CVE Team

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Carsten Eiram
Sent: Saturday, March 25, 2017 2:44 AM
To: cve-editorial-board-list <[hidden email]>
Subject: Hidden Microsoft CVEs And No Answers

 

Last week I noticed Microsoft fixed three vulnerabilities with CVEs in ChakraCore. This is part of Chakra; the scripting engine used in Microsoft Edge.

 

These are the commits:

 

I noticed the three CVEs were not mentioned in any of the recent Microsoft security bulletins even if MS17-007 addressed Microsoft Edge vulnerabilities.

 

I reached out to MSRC for clarification to determine if these do not impact MS Edge, if Microsoft forgot to patch MS Edge, or simply forgot to add the three CVEs to their security bulletin.

 

It has now been 6 business days, and I have still not received an answer. Historically, Microsoft have otherwise been good at responding quickly to such requests.

 

If Microsoft forgot to add these CVEs to MS17-007, it would be a simple matter of quickly updating the bulletin. If they forgot to include the fixes in MS Edge, they clearly have a much bigger problem (maybe that's the reason for their radio silence).

 

If these issues don't affect MS Edge, it seems CVEs should not be assigned by Microsoft, unless they inform about the assignments. Semi-hiding them in commits is, obviously, problematic, as they then won't be covered. Case in point: They are all still "RESERVED".

 

Either way, it's concerning that Microsoft first "hides" three CVEs within commit messages and next can't even respond to a CVE Board member in a timely manner when asking about the assignments.

 

Considering Microsoft not only is a CNA, but also represented on this board, it seems they need to work on improving their internal processes.

 

I'd appreciate if Microsoft could shed some light on this.

 

/Carsten

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Hidden Microsoft CVEs And No Answers

Elizabeth Scott

Sorry for the delay  Adding Simon Pope

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Coffin, Chris
Sent: Monday, March 27, 2017 9:14 AM
To: Carsten Eiram <[hidden email]>
Cc: cve-editorial-board-list <[hidden email]>
Subject: RE: Hidden Microsoft CVEs And No Answers

 

Carsten,

 

Thanks for the investigation and heads-up regarding these issues. We will also check with our Microsoft CNA contacts directly and see what we can find out.

 

Regards,

 

Chris Coffin

The CVE Team

 

From: [hidden email] [[hidden email]] On Behalf Of Carsten Eiram
Sent: Saturday, March 25, 2017 2:44 AM
To: cve-editorial-board-list <[hidden email]>
Subject: Hidden Microsoft CVEs And No Answers

 

Last week I noticed Microsoft fixed three vulnerabilities with CVEs in ChakraCore. This is part of Chakra; the scripting engine used in Microsoft Edge.

 

These are the commits:

 

I noticed the three CVEs were not mentioned in any of the recent Microsoft security bulletins even if MS17-007 addressed Microsoft Edge vulnerabilities.

 

I reached out to MSRC for clarification to determine if these do not impact MS Edge, if Microsoft forgot to patch MS Edge, or simply forgot to add the three CVEs to their security bulletin.

 

It has now been 6 business days, and I have still not received an answer. Historically, Microsoft have otherwise been good at responding quickly to such requests.

 

If Microsoft forgot to add these CVEs to MS17-007, it would be a simple matter of quickly updating the bulletin. If they forgot to include the fixes in MS Edge, they clearly have a much bigger problem (maybe that's the reason for their radio silence).

 

If these issues don't affect MS Edge, it seems CVEs should not be assigned by Microsoft, unless they inform about the assignments. Semi-hiding them in commits is, obviously, problematic, as they then won't be covered. Case in point: They are all still "RESERVED".

 

Either way, it's concerning that Microsoft first "hides" three CVEs within commit messages and next can't even respond to a CVE Board member in a timely manner when asking about the assignments.

 

Considering Microsoft not only is a CNA, but also represented on this board, it seems they need to work on improving their internal processes.

 

I'd appreciate if Microsoft could shed some light on this.

 

/Carsten

Loading...