July and August Office 365 False Negatives

[mostlikelee]

https://learn.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates

Add rule to: server/vulnerabilities/customcve/matching_rules.go

Need to manually add these vulnerabilities until Office365 detections are resolved.

--

QA notes

1. Install "Microsoft 365" on a Windows host from https://www.microsoft.com/en-us/microsoft-365/download-office.
2. Manually change the version to something lower than the versions listed in https://learn.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates#june-11-2024.
   • For July it's 16.0.17726.20160 so if you set version to something like 16.0.17726.20159 then Fleet should detect July vulnerabilities (and August).
   • For August it's 16.0.17830.20166 so if you set version to something like 16.0.17830.20165 then Fleet should detect August vulnerabilities.

     select * from software where name like 'Microsoft 365%';
     update software set version = '<VERSION_STRING>' where id = <ID_FROM_PREVIOUS_QUERY>;

3. Run vulnerability processing.

Finally, setting versions higher than 16.0.17830.20166 should find no vulnerabilities.

PS: Don't forget that vulnerabilities are cleared from the DB after 2 hours of them being "found". Workaround: update software_cve set updated_at = DATE_SUB(current_timestamp, interval 3 hour);.

[lukeheath]

@mostlikelee Sounds like this is unreleased?

[mostlikelee]

Not unreleased, but this will be recurring monthly (patch tuesday) work until https://github.com/fleetdm/fleet/issues/20039 is addressed.

[lucasmrod]

@xpkoala Added QA notes.

[lucasmrod]

Changing estimation from 1 to 2 because of figuring out Microsoft 365 installer/target and adding tests.