Quantcast

Updated def:12313

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Updated def:12313

gauravphoenix
Please find attached updated 12313 definition id. 

Modification made:
Negate the result if IE9 is installed. According to MS11-031 which replaces MS11-009 (bulletin on which this def:12313 is made) :
Systems with Internet Explorer 9 installed are not affected and do not require this update


Thanks,
--
Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:(425)686-9695 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

def.xml (65K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Updated def:12313

bakerj
Administrator

Gaurav,

 

I reviewing your submission in noticed a few issues:

 

-          I noticed that you edited the <oval_repository/> element’s date information with a comment for your change. This is helpful information, and important to add. However, we have developed tools that entirely manage the content of the <oval_repository/> element. In the future please do not edit this element. I have removed it from the attached version of the modified definition.

-          On line 46 of the submitted file, you added:

<extend_definition definition_ref="oval:org.mitre.oval:def:11985" comment="Microsoft Internet Explorer 9 is installed"/>

However, you did not in fact negate this extend_definition element. There is a @negate attribute that can be applied to this element.

-          The submitted document is not XML Schema valid. It looks like you added a reference to the definition that checks for IE( being installed, but did not add the actual definition to the document that you submitted.

-          In your effort to add the extended definition you essentially wrapped all existing criteria in one additional criteria that ANDed the previous results with the results of looking for IE9. That approach is reasonable, but I felt like it was a bit easier to read if you pushed the check for IE9 down into the existing criteria structure. This caused me to reference the IE9 inventory definition twice. Once for no service pack and once for with service pack 1.

 

More information about submissions can be found here: https://oval.mitre.org/repository/about/submission.html

 

As it turns out, in working through the above issues I corrected them. The changes reflected in the attached document are now available in the oval repository.  Our static downloads are being updated to reflect this change now too.

 

Thanks,

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Gaurav Kumar [mailto:[hidden email]]
Sent: Saturday, March 31, 2012 7:38 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: [OVAL-DISCUSSION-LIST] Updated def:12313

 

Please find attached updated 12313 definition id. 

 

Modification made:

Negate the result if IE9 is installed. According to MS11-031 which replaces MS11-009 (bulletin on which this def:12313 is made) :

Systems with Internet Explorer 9 installed are not affected and do not require this update

 

 

Thanks,

--

 
Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:(425)686-9695 


To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

def-jb.xml (69K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Updated def:12313

gauravphoenix
Thanks Jon! 
I am little unclear on  oval_repository element. Should authors omit this part while submission because it is automatically managed by you? Or should these be omitted only when change is made? (as opposed to new definition)

On Mon, Apr 2, 2012 at 5:47 AM, Baker, Jon <[hidden email]> wrote:

Gaurav,

 

I reviewing your submission in noticed a few issues:

 

-          I noticed that you edited the <oval_repository/> element’s date information with a comment for your change. This is helpful information, and important to add. However, we have developed tools that entirely manage the content of the <oval_repository/> element. In the future please do not edit this element. I have removed it from the attached version of the modified definition.

-          On line 46 of the submitted file, you added:

<extend_definition definition_ref="oval:org.mitre.oval:def:11985" comment="Microsoft Internet Explorer 9 is installed"/>

However, you did not in fact negate this extend_definition element. There is a @negate attribute that can be applied to this element.

-          The submitted document is not XML Schema valid. It looks like you added a reference to the definition that checks for IE( being installed, but did not add the actual definition to the document that you submitted.

-          In your effort to add the extended definition you essentially wrapped all existing criteria in one additional criteria that ANDed the previous results with the results of looking for IE9. That approach is reasonable, but I felt like it was a bit easier to read if you pushed the check for IE9 down into the existing criteria structure. This caused me to reference the IE9 inventory definition twice. Once for no service pack and once for with service pack 1.

 

More information about submissions can be found here: https://oval.mitre.org/repository/about/submission.html

 

As it turns out, in working through the above issues I corrected them. The changes reflected in the attached document are now available in the oval repository.  Our static downloads are being updated to reflect this change now too.

 

Thanks,

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Gaurav Kumar [mailto:[hidden email]]
Sent: Saturday, March 31, 2012 7:38 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: [OVAL-DISCUSSION-LIST] Updated def:12313

 

Please find attached updated 12313 definition id. 

 

Modification made:

Negate the result if IE9 is installed. According to MS11-031 which replaces MS11-009 (bulletin on which this def:12313 is made) :

Systems with Internet Explorer 9 installed are not affected and do not require this update

 

 

Thanks,

--

 
Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:<a href="tel:%28425%29686-9695" value="+14256869695" target="_blank">(425)686-9695 


To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].



--
Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:(425)686-9695 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Updated def:12313

Dragos Prisaca-3
In reply to this post by bakerj

Hi,

 

I am not convinced if we have to make this change to the oval:org.mitre.oval:def:12313 because the MS11-009 fixes a different vulnerability than MS11-031 and it does not specify that the IE9 is not affected. Also, the def:12313 should not generate a false positive when IE9 is installed because the versions of the JScript 5.8 and VBScript 5.8 scripting engines are already greater than the one used by the OVAL definition.

 

Gaurav, have you recommended the change based on the fact MS11-031 replaces MS11-009 or have you tested the def:12313 and it generated false positives?

 

Regards,

_Dragos.

 

From: Baker, Jon [mailto:[hidden email]]
Sent: Monday, April 02, 2012 8:47 AM
To: [hidden email]
Subject: Re: [OVAL-DISCUSSION-LIST] Updated def:12313

 

Gaurav,

 

I reviewing your submission in noticed a few issues:

 

-          I noticed that you edited the <oval_repository/> element’s date information with a comment for your change. This is helpful information, and important to add. However, we have developed tools that entirely manage the content of the <oval_repository/> element. In the future please do not edit this element. I have removed it from the attached version of the modified definition.

-          On line 46 of the submitted file, you added:

<extend_definition definition_ref="oval:org.mitre.oval:def:11985" comment="Microsoft Internet Explorer 9 is installed"/>

However, you did not in fact negate this extend_definition element. There is a @negate attribute that can be applied to this element.

-          The submitted document is not XML Schema valid. It looks like you added a reference to the definition that checks for IE( being installed, but did not add the actual definition to the document that you submitted.

-          In your effort to add the extended definition you essentially wrapped all existing criteria in one additional criteria that ANDed the previous results with the results of looking for IE9. That approach is reasonable, but I felt like it was a bit easier to read if you pushed the check for IE9 down into the existing criteria structure. This caused me to reference the IE9 inventory definition twice. Once for no service pack and once for with service pack 1.

 

More information about submissions can be found here: https://oval.mitre.org/repository/about/submission.html

 

As it turns out, in working through the above issues I corrected them. The changes reflected in the attached document are now available in the oval repository.  Our static downloads are being updated to reflect this change now too.

 

Thanks,

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Gaurav Kumar [mailto:[hidden email]]
Sent: Saturday, March 31, 2012 7:38 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: [OVAL-DISCUSSION-LIST] Updated def:12313

 

Please find attached updated 12313 definition id. 

 

Modification made:

Negate the result if IE9 is installed. According to MS11-031 which replaces MS11-009 (bulletin on which this def:12313 is made) :

Systems with Internet Explorer 9 installed are not affected and do not require this update

 

 

Thanks,

--

 
Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:(425)686-9695 


To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Updated def:12313

gauravphoenix
Dragos, 

I was getting false positive result generated by def:12313 on my Windows 7 64bit machine with IE9 installed. While researching what could be the cause, I found that other scanners were also generative false positive result. One such discussion is available here.

Also, ms11-031 mentions "MS11-009" under column "Bulletins Replaced by this Update". It also mentions under footnote[1] that - "Systems with Internet Explorer 9 installed are not affected and do not require this update. Systems that have not been upgraded with Internet Explorer 9 will need the correct update for the versions of the JScript and VBScript scripting engines installed on them" 

Thanks,
Gaurav



On Mon, Apr 9, 2012 at 11:41 AM, Dragos Prisaca <[hidden email]> wrote:

Hi,

 

I am not convinced if we have to make this change to the oval:org.mitre.oval:def:12313 because the MS11-009 fixes a different vulnerability than MS11-031 and it does not specify that the IE9 is not affected. Also, the def:12313 should not generate a false positive when IE9 is installed because the versions of the JScript 5.8 and VBScript 5.8 scripting engines are already greater than the one used by the OVAL definition.

 

Gaurav, have you recommended the change based on the fact MS11-031 replaces MS11-009 or have you tested the def:12313 and it generated false positives?

 

Regards,

_Dragos.

 

From: Baker, Jon [mailto:[hidden email]]
Sent: Monday, April 02, 2012 8:47 AM
To: [hidden email]
Subject: Re: [OVAL-DISCUSSION-LIST] Updated def:12313

 

Gaurav,

 

I reviewing your submission in noticed a few issues:

 

-          I noticed that you edited the <oval_repository/> element’s date information with a comment for your change. This is helpful information, and important to add. However, we have developed tools that entirely manage the content of the <oval_repository/> element. In the future please do not edit this element. I have removed it from the attached version of the modified definition.

-          On line 46 of the submitted file, you added:

<extend_definition definition_ref="oval:org.mitre.oval:def:11985" comment="Microsoft Internet Explorer 9 is installed"/>

However, you did not in fact negate this extend_definition element. There is a @negate attribute that can be applied to this element.

-          The submitted document is not XML Schema valid. It looks like you added a reference to the definition that checks for IE( being installed, but did not add the actual definition to the document that you submitted.

-          In your effort to add the extended definition you essentially wrapped all existing criteria in one additional criteria that ANDed the previous results with the results of looking for IE9. That approach is reasonable, but I felt like it was a bit easier to read if you pushed the check for IE9 down into the existing criteria structure. This caused me to reference the IE9 inventory definition twice. Once for no service pack and once for with service pack 1.

 

More information about submissions can be found here: https://oval.mitre.org/repository/about/submission.html

 

As it turns out, in working through the above issues I corrected them. The changes reflected in the attached document are now available in the oval repository.  Our static downloads are being updated to reflect this change now too.

 

Thanks,

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Gaurav Kumar [mailto:[hidden email]]
Sent: Saturday, March 31, 2012 7:38 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: [OVAL-DISCUSSION-LIST] Updated def:12313

 

Please find attached updated 12313 definition id. 

 

Modification made:

Negate the result if IE9 is installed. According to MS11-031 which replaces MS11-009 (bulletin on which this def:12313 is made) :

Systems with Internet Explorer 9 installed are not affected and do not require this update

 

 

Thanks,

--

 
Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:<a href="tel:%28425%29686-9695" value="+14256869695" target="_blank">(425)686-9695 


To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].



--
Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:(425)686-9695 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Loading...