Open mostlikelee opened 4 days ago
Thanks for tracking this @mostlikelee.
If I'm understanding correctly, we parse Microsoft resources to get CVEs for Microsoft Office apps installed on macOS: https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Vulnerability-processing.md#mac-office-release-notes
Are you thinking we use MSRC for all Microsoft apps on Windows and macOS? (remove the parsing we do for macOS)
FYI @sharon-fdm @mostlikelee I pulled this request off the release board because I see we decided to address the CVE-2024-30103 false negative bug as a quick fix: https://github.com/fleetdm/confidential/issues/7014#issuecomment-2192751197
@noahtalerman I think we can keep the existing parsing for macOS Office apps for now, but using MSRC would be a more reliable data source in the future for those apps (rather than scraping release notes). IMO the higher priority is to use MSRC for Windows Office apps.
To keep the scope in check, I think there is plenty to do for Office365 vulnerability detection (as opposed to ALL Microsoft applications). Further research is showing that even the MSRC feed is not providing version ranges. The only source I've found are the Microsoft Office release notes which we will have to parse. The release notes are also what the MSRC feed points to for these vulnerabilities.
There is also some research needed to ensure the information we get from osquery: the version number from OfficeClickToRun.exe, is adequate for vulnerability detection. When the clickToRun is installed, the individual Office applications are not detected by osquery as they do not appear in the uninstall registry.
Problem
Currently some CVEs in NVD are not reported accurately. Most recently CVE-2024-30103 which does not provide affected version ranges to Microsoft Office resulting in an inability to properly detect that vulnerability.
Potential solutions
For more accurate vulnerability reporting on Microsoft applications, Fleet should use the MSRC feed.