Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/wdormann/statuses/113114347330112579">Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 12-Sep-2024 01:47:43 JST</a><a href="https://infosec.exchange/@wdormann" title="wdormann@infosec.exchange"><img src="https://gnusocial.jp/avatar/232810-48-20240116185707.webp" width="48" height="48" alt="Will Dormann" style="position: absolute; left: 0; top: 0;">Will Dormann</a><div><a href="https://infosec.exchange/@wdormann/113047143641261710" rel="in-reply-to">in reply to</a></div></section><article><p>Note that this is only now officially CVE-2024-38217, and Microsoft has released a fix for it:<br><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38217" rel="nofollow noreferrer">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38217</a></p><p>Why did this public, exploited-in-the-wild vulnerability not get a CVE for more than a month?<br>It's because Microsoft doesn't follow CVE CNA rules, and they only assign CVEs to updates, rather than vulnerabilities.<br>It's also because MITRE doesn't follow the CVE CNA rules, functioning as a CNA-LR (they ignored the request to get this issue a CVE).</p><p>Great job, folks!</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3651109#notice-7154427">In conversation</a><time datetime="2024-09-12T01:47:43+09:00" title="Thursday, 12-Sep-2024 01:47:43 JST">about 2 months ago</time> <span>from <span><a href="https://infosec.exchange/@wdormann/113114347330112579" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@wdormann/113114347330112579">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/3155220">Untitled attachment</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/114/347/038/874/604/original/027605559384adcb.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/114/347/038/874/604/original/027605559384adcb.png</a></li><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38217Why">Security Update Guide - Microsoft Security Response Center</a></h5><div></div></header><div></div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 12-Sep-2024 01:47:43 JST Will Dormann
in reply to
Note that this is only now officially CVE-2024-38217, and Microsoft has released a fix for it:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38217
Why did this public, exploited-in-the-wild vulnerability not get a CVE for more than a month?
It's because Microsoft doesn't follow CVE CNA rules, and they only assign CVEs to updates, rather than vulnerabilities.
It's also because MITRE doesn't follow the CVE CNA rules, functioning as a CNA-LR (they ignored the request to get this issue a CVE).
Great job, folks!
In conversationabout 2 months ago from infosec.exchangepermalink
Attachments
1. Untitled attachment
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/114/347/038/874/604/original/027605559384adcb.png
2. No result found on File_thumbnail lookup.
  Security Update Guide - Microsoft Security Response Center

Public

Embed Notice

HTML Code

Corresponding Notice