Making Security Measurable › CPE - Common Platform Enumeration

Microsoft OS CPE Names

10 messages Options
Embed this post
Permalink
Wergin, Charles [USA]

Microsoft OS CPE Names

Reply Threaded More More options
Print post
Permalink
Some javascript/style in this post has been disabled (why?)

Hello,

 

Can some one please explain to me why the version for Microsoft operating systems don’t include versions?  If I run msinfo32 on my Windows hardware, I get the following:

 

OS Name          Microsoft Windows XP Professional

Version             5.1.2600 Service Pack 3 Build 2600

 

So, from the specification, the CPE should be:

 

cpe:/o:microsoft:windows:5.1.2600:sp3:professional

 

However, in the current official dictionary, Microsoft OS CPE names appear as:

 

cpe:/o:microsoft:windows_xp::sp2:professional (I use this example because the current version doesn’t contain the official name for XP SP3 Pro yet)

 

Please note that the dictionary entry is correct; the determination to have this entry as it appears was made previous to the submission.

 

My curiosity stems from the premise that if an available product, delivered with the OS by the vendor, can produce viable version information, it should be included in the CPE.  The specification does not state the version component is required, but does imply on page 5 that it should be included if available:

 

“Where the specification does not define specific structure, (for example, information beyond the vendor/product/version components) one should refer to the CPE Dictionary to make sure a similar name does not already exist.”

 

It would be helpful if there are going to be exceptions in the process, the specification would define those entities and why they need special considerations.

 

Here at the NVD, we require analysts minimally provide vendor/product/versions if available.  This is often difficult to find, especially when it comes to open source products.  But in the Microsoft case, the vendor gives this information specifically to us by way of this tool, yet we don’t use it.

 

Does anyone else think this information would be useful since it is so easily attainable?

 

Thank you for your time,

 

Chuck Wergin

National Vulnerability Database

nvd.nist.gov

 

 
Wergin, Charles [USA]

Re: Microsoft OS CPE Names

Reply Threaded More More options
Print post
Permalink
Some javascript/style in this post has been disabled (why?)

My apologies; the first sentence SHOULD have said:

 

Can some one please explain to me why the official CPEs for Microsoft operating systems don’t include versions?

 

Sorry for the confusion,

 

Chuck Wergin

National Vulnerability Database

nvd.nist.gov

 

 

From: Wergin, Charles [USA] [mailto:[hidden email]]
Sent: Wednesday, April 01, 2009 12:10 PM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] Microsoft OS CPE Names

 

Hello,

 

Can some one please explain to me why the version for Microsoft operating systems don’t include versions?  If I run msinfo32 on my Windows hardware, I get the following:

 

OS Name          Microsoft Windows XP Professional

Version             5.1.2600 Service Pack 3 Build 2600

 

So, from the specification, the CPE should be:

 

cpe:/o:microsoft:windows:5.1.2600:sp3:professional

 

However, in the current official dictionary, Microsoft OS CPE names appear as:

 

cpe:/o:microsoft:windows_xp::sp2:professional (I use this example because the current version doesn’t contain the official name for XP SP3 Pro yet)

 

Please note that the dictionary entry is correct; the determination to have this entry as it appears was made previous to the submission.

 

My curiosity stems from the premise that if an available product, delivered with the OS by the vendor, can produce viable version information, it should be included in the CPE.  The specification does not state the version component is required, but does imply on page 5 that it should be included if available:

 

“Where the specification does not define specific structure, (for example, information beyond the vendor/product/version components) one should refer to the CPE Dictionary to make sure a similar name does not already exist.”

 

It would be helpful if there are going to be exceptions in the process, the specification would define those entities and why they need special considerations.

 

Here at the NVD, we require analysts minimally provide vendor/product/versions if available.  This is often difficult to find, especially when it comes to open source products.  But in the Microsoft case, the vendor gives this information specifically to us by way of this tool, yet we don’t use it.

 

Does anyone else think this information would be useful since it is so easily attainable?

 

Thank you for your time,

 

Chuck Wergin

National Vulnerability Database

nvd.nist.gov

 

 
Andrew Buttner

Re: Microsoft OS CPE Names

Reply Threaded More More options
Print post
Permalink
In reply to this post by Wergin, Charles [USA]
Chuck,

Back in October of 2007, the CPE Community decided that CPE Names for the Windows operating system should be based off of the commonly known marketing name, as opposed to kernel:version.  The reason being to make it easier for users of CPE since they know each product by the marketing name.  Please see the following thread (and the other threads that it references) for a recap of the issue and the resolution.

http://n2.nabble.com/VOTE---Microsoft-Windows-OS-CPE-Name-tp87996p87996.html

I personally am in agreement with you Chuck in that a name based on technical details would be better.  But at the end of the day, the main goal is to have a unique name for each platform type, and the current dictionary accomplishes this.

Unless there are others in the community that want to re-open the issue, we should keep trying to work with the current CPE Names.

Thanks
Drew


>-----Original Message-----
>From: Wergin, Charles [USA] [mailto:[hidden email]]
>Sent: Wednesday, April 01, 2009 12:10 PM
>To: cpe-discussion-list CPE Community Forum
>Subject: [CPE-DISCUSSION-LIST] Microsoft OS CPE Names
>
>Hello,
>
>
>
>Can some one please explain to me why the version for Microsoft
>operating systems don't include versions?  If I run msinfo32 on my
>Windows hardware, I get the following:
>
>
>
>OS Name          Microsoft Windows XP Professional
>
>Version             5.1.2600 Service Pack 3 Build 2600
>
>
>
>So, from the specification, the CPE should be:
>
>
>
>cpe:/o:microsoft:windows:5.1.2600:sp3:professional
>
>
>
>However, in the current official dictionary, Microsoft OS CPE names
>appear as:
>
>
>
>cpe:/o:microsoft:windows_xp::sp2:professional (I use this example
>because the current version doesn't contain the official name for XP SP3
>Pro yet)
>
>
>
>Please note that the dictionary entry is correct; the determination to
>have this entry as it appears was made previous to the submission.
>
>
>
>My curiosity stems from the premise that if an available product,
>delivered with the OS by the vendor, can produce viable version
>information, it should be included in the CPE.  The specification does
>not state the version component is required, but does imply on page 5
>that it should be included if available:
>
>
>
>"Where the specification does not define specific structure, (for
>example, information beyond the vendor/product/version components) one
>should refer to the CPE Dictionary to make sure a similar name does not
>already exist."
>
>
>
>It would be helpful if there are going to be exceptions in the process,
>the specification would define those entities and why they need special
>considerations.
>
>
>
>Here at the NVD, we require analysts minimally provide
>vendor/product/versions if available.  This is often difficult to find,
>especially when it comes to open source products.  But in the Microsoft
>case, the vendor gives this information specifically to us by way of
>this tool, yet we don't use it.
>
>
>
>Does anyone else think this information would be useful since it is so
>easily attainable?
>
>
>
>Thank you for your time,
>
>
>
>Chuck Wergin
>
>National Vulnerability Database
>
>nvd.nist.gov
>
>
>
>
Wolfkiel, Joseph

Re: Microsoft OS CPE Names

Reply Threaded More More options
Print post
Permalink
I'm not completely sure that's what Chuck is saying.  Potentially, the ID
"cpe:/o:microsoft:windows_xp:5.1.2600:sp3:professional" would meet his
needs.  I'm not sure we need to re-open the vendor name versus technically
correct name discussion again to address whether MS OS CPEs can contain
version information.


Lt Col Joseph L. Wolfkiel
Director, Computer Network Defense Research & Technology (CND R&T) Program
Management Office
9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Monday, April 13, 2009 9:54 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Microsoft OS CPE Names

Chuck,

Back in October of 2007, the CPE Community decided that CPE Names for the
Windows operating system should be based off of the commonly known marketing
name, as opposed to kernel:version.  The reason being to make it easier for
users of CPE since they know each product by the marketing name.  Please see
the following thread (and the other threads that it references) for a recap
of the issue and the resolution.

http://n2.nabble.com/VOTE---Microsoft-Windows-OS-CPE-Name-tp87996p87996.html

I personally am in agreement with you Chuck in that a name based on
technical details would be better.  But at the end of the day, the main goal
is to have a unique name for each platform type, and the current dictionary
accomplishes this.

Unless there are others in the community that want to re-open the issue, we
should keep trying to work with the current CPE Names.

Thanks
Drew


>-----Original Message-----
>From: Wergin, Charles [USA] [mailto:[hidden email]]
>Sent: Wednesday, April 01, 2009 12:10 PM
>To: cpe-discussion-list CPE Community Forum
>Subject: [CPE-DISCUSSION-LIST] Microsoft OS CPE Names
>
>Hello,
>
>
>
>Can some one please explain to me why the version for Microsoft
>operating systems don't include versions?  If I run msinfo32 on my
>Windows hardware, I get the following:
>
>
>
>OS Name          Microsoft Windows XP Professional
>
>Version             5.1.2600 Service Pack 3 Build 2600
>
>
>
>So, from the specification, the CPE should be:
>
>
>
>cpe:/o:microsoft:windows:5.1.2600:sp3:professional
>
>
>
>However, in the current official dictionary, Microsoft OS CPE names
>appear as:
>
>
>
>cpe:/o:microsoft:windows_xp::sp2:professional (I use this example
>because the current version doesn't contain the official name for XP
>SP3 Pro yet)
>
>
>
>Please note that the dictionary entry is correct; the determination to
>have this entry as it appears was made previous to the submission.
>
>
>
>My curiosity stems from the premise that if an available product,
>delivered with the OS by the vendor, can produce viable version
>information, it should be included in the CPE.  The specification does
>not state the version component is required, but does imply on page 5
>that it should be included if available:
>
>
>
>"Where the specification does not define specific structure, (for
>example, information beyond the vendor/product/version components) one
>should refer to the CPE Dictionary to make sure a similar name does not
>already exist."
>
>
>
>It would be helpful if there are going to be exceptions in the process,
>the specification would define those entities and why they need special
>considerations.
>
>
>
>Here at the NVD, we require analysts minimally provide
>vendor/product/versions if available.  This is often difficult to find,
>especially when it comes to open source products.  But in the Microsoft
>case, the vendor gives this information specifically to us by way of
>this tool, yet we don't use it.
>
>
>
>Does anyone else think this information would be useful since it is so
>easily attainable?
>
>
>
>Thank you for your time,
>
>
>
>Chuck Wergin
>
>National Vulnerability Database
>
>nvd.nist.gov
>
>
>
>


smime.p7s (6K) Download Attachment
Gary Newman-2

Re: Microsoft OS CPE Names

Reply Threaded More More options
Print post
Permalink
I agreee that Chuck seems to be asking only if there's any rationale for why
some of the dictionary components are populated where others aren't in the
dictionary.  I don't think he's looking for a different naming.

As to the version numbers, it's probably reasonable to add those for the OSes
but impractical to keep up with those for applications.  Almost every month,
Microsoft releases security updates that bump the version number on office
applications.  Should we really expend the resources to keep up with those?  
Should we instead "trim" the version numbers to only the major.minor portion to

help alleviate this issue?

The same "tracking" problem arises if we attempt to keep beta versions in the
dictionary.  Currently I've seen

cpe:/o:microsoft:windows_vista:6.0.6002:sp2_v_113
cpe:/o:microsoft:windows_vista:6.0.6002:sp2_v_286

as two of the public beta Vista SP2 releases.  There are a lot more if we also
include the versions seen by private beta participants.  Should CPE include all

of those?

Furthering Chuck's question, I'll ask the same about the language component.  
Although almost all of the Microsoft os editions are available in en-US, none
are marked that way.  Although CPE is an enumeration, there's no enumeration of

the OS languages available.  Perhaps we should at least mark the Microsoft oses

with the en-US language.

        -Gary-

> I'm not completely sure that's what Chuck is saying.  Potentially, the ID
> "cpe:/o:microsoft:windows_xp:5.1.2600:sp3:professional" would meet his
> needs.  I'm not sure we need to re-open the vendor name versus technically
> correct name discussion again to address whether MS OS CPEs can contain
> version information.
>
>
> Lt Col Joseph L. Wolfkiel
> Director, Computer Network Defense Research & Technology (CND R&T) Program
> Management Office
> 9800 Savage Rd Ste 6767
> Ft Meade, MD 20755-6767
> Commercial 410-854-5401 DSN 244-5401
> Fax 410-854-6700
>
> -----Original Message-----
> From: Buttner, Drew [mailto:[hidden email]]
> Sent: Monday, April 13, 2009 9:54 AM
> To: [hidden email]
> Subject: Re: [CPE-DISCUSSION-LIST] Microsoft OS CPE Names
>
> Chuck,
>
> Back in October of 2007, the CPE Community decided that CPE Names for the
> Windows operating system should be based off of the commonly known marketing
> name, as opposed to kernel:version.  The reason being to make it easier for
> users of CPE since they know each product by the marketing name.  Please see
> the following thread (and the other threads that it references) for a recap
> of the issue and the resolution.
>
> http://n2.nabble.com/VOTE---Microsoft-Windows-OS-CPE-Name-tp87996p87996.html
>
> I personally am in agreement with you Chuck in that a name based on
> technical details would be better.  But at the end of the day, the main goal
> is to have a unique name for each platform type, and the current dictionary
> accomplishes this.
>
> Unless there are others in the community that want to re-open the issue, we
> should keep trying to work with the current CPE Names.
>
> Thanks
> Drew
>
>
> >-----Original Message-----
> >From: Wergin, Charles [USA] [mailto:[hidden email]]
> >Sent: Wednesday, April 01, 2009 12:10 PM
> >To: cpe-discussion-list CPE Community Forum
> >Subject: [CPE-DISCUSSION-LIST] Microsoft OS CPE Names
> >
> >Hello,
> >
> >
> >
> >Can some one please explain to me why the version for Microsoft
> >operating systems don't include versions?  If I run msinfo32 on my
> >Windows hardware, I get the following:
> >
> >
> >
> >OS Name          Microsoft Windows XP Professional
> >
> >Version             5.1.2600 Service Pack 3 Build 2600
> >
> >
> >
> >So, from the specification, the CPE should be:
> >
> >
> >
> >cpe:/o:microsoft:windows:5.1.2600:sp3:professional
> >
> >
> >
> >However, in the current official dictionary, Microsoft OS CPE names
> >appear as:
> >
> >
> >
> >cpe:/o:microsoft:windows_xp::sp2:professional (I use this example
> >because the current version doesn't contain the official name for XP
> >SP3 Pro yet)
> >
> >
> >
> >Please note that the dictionary entry is correct; the determination to
> >have this entry as it appears was made previous to the submission.
> >
> >
> >
> >My curiosity stems from the premise that if an available product,
> >delivered with the OS by the vendor, can produce viable version
> >information, it should be included in the CPE.  The specification does
> >not state the version component is required, but does imply on page 5
> >that it should be included if available:
> >
> >
> >
> >"Where the specification does not define specific structure, (for
> >example, information beyond the vendor/product/version components) one
> >should refer to the CPE Dictionary to make sure a similar name does not
> >already exist."
> >
> >
> >
> >It would be helpful if there are going to be exceptions in the process,
> >the specification would define those entities and why they need special
> >considerations.
> >
> >
> >
> >Here at the NVD, we require analysts minimally provide
> >vendor/product/versions if available.  This is often difficult to find,
> >especially when it comes to open source products.  But in the Microsoft
> >case, the vendor gives this information specifically to us by way of
> >this tool, yet we don't use it.
> >
> >
> >
> >Does anyone else think this information would be useful since it is so
> >easily attainable?
> >
> >
> >
> >Thank you for your time,
> >
> >
> >
> >Chuck Wergin
> >
> >National Vulnerability Database
> >
> >nvd.nist.gov
Wolfkiel, Joseph

Re: Microsoft OS CPE Names

Reply Threaded More More options
Print post
Permalink
I hadn't heard about the versions of service packs problem until now.

Chuck,  Is the sub-minor version number used by NVD to discriminate between
versions, or is it usually just the major and minor version information?

Is it reasonable come up with a convention for how much detail in the MS
version field we capture?


Lt Col Joseph L. Wolfkiel
Director, Computer Network Defense Research & Technology (CND R&T) Program
Management Office
9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Gary Newman [mailto:[hidden email]]
Sent: Tuesday, April 14, 2009 1:14 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Microsoft OS CPE Names

I agreee that Chuck seems to be asking only if there's any rationale for why
some of the dictionary components are populated where others aren't in the
dictionary.  I don't think he's looking for a different naming.

As to the version numbers, it's probably reasonable to add those for the
OSes but impractical to keep up with those for applications.  Almost every
month, Microsoft releases security updates that bump the version number on
office applications.  Should we really expend the resources to keep up with
those?  
Should we instead "trim" the version numbers to only the major.minor portion
to

help alleviate this issue?

The same "tracking" problem arises if we attempt to keep beta versions in
the dictionary.  Currently I've seen

cpe:/o:microsoft:windows_vista:6.0.6002:sp2_v_113
cpe:/o:microsoft:windows_vista:6.0.6002:sp2_v_286

as two of the public beta Vista SP2 releases.  There are a lot more if we
also include the versions seen by private beta participants.  Should CPE
include all

of those?

Furthering Chuck's question, I'll ask the same about the language component.

Although almost all of the Microsoft os editions are available in en-US,
none are marked that way.  Although CPE is an enumeration, there's no
enumeration of

the OS languages available.  Perhaps we should at least mark the Microsoft
oses

with the en-US language.

        -Gary-

> I'm not completely sure that's what Chuck is saying.  Potentially, the
> ID "cpe:/o:microsoft:windows_xp:5.1.2600:sp3:professional" would meet
> his needs.  I'm not sure we need to re-open the vendor name versus
> technically correct name discussion again to address whether MS OS
> CPEs can contain version information.
>
>
> Lt Col Joseph L. Wolfkiel
> Director, Computer Network Defense Research & Technology (CND R&T)
> Program Management Office 9800 Savage Rd Ste 6767 Ft Meade, MD
> 20755-6767 Commercial 410-854-5401 DSN 244-5401 Fax 410-854-6700
>
> -----Original Message-----
> From: Buttner, Drew [mailto:[hidden email]]
> Sent: Monday, April 13, 2009 9:54 AM
> To: [hidden email]
> Subject: Re: [CPE-DISCUSSION-LIST] Microsoft OS CPE Names
>
> Chuck,
>
> Back in October of 2007, the CPE Community decided that CPE Names for
> the Windows operating system should be based off of the commonly known
> marketing name, as opposed to kernel:version.  The reason being to
> make it easier for users of CPE since they know each product by the
> marketing name.  Please see the following thread (and the other
> threads that it references) for a recap of the issue and the resolution.
>
> http://n2.nabble.com/VOTE---Microsoft-Windows-OS-CPE-Name-tp87996p8799
> 6.html
>
> I personally am in agreement with you Chuck in that a name based on
> technical details would be better.  But at the end of the day, the
> main goal is to have a unique name for each platform type, and the
> current dictionary accomplishes this.
>
> Unless there are others in the community that want to re-open the
> issue, we should keep trying to work with the current CPE Names.
>
> Thanks
> Drew
>
>
> >-----Original Message-----
> >From: Wergin, Charles [USA] [mailto:[hidden email]]
> >Sent: Wednesday, April 01, 2009 12:10 PM
> >To: cpe-discussion-list CPE Community Forum
> >Subject: [CPE-DISCUSSION-LIST] Microsoft OS CPE Names
> >
> >Hello,
> >
> >
> >
> >Can some one please explain to me why the version for Microsoft
> >operating systems don't include versions?  If I run msinfo32 on my
> >Windows hardware, I get the following:
> >
> >
> >
> >OS Name          Microsoft Windows XP Professional
> >
> >Version             5.1.2600 Service Pack 3 Build 2600
> >
> >
> >
> >So, from the specification, the CPE should be:
> >
> >
> >
> >cpe:/o:microsoft:windows:5.1.2600:sp3:professional
> >
> >
> >
> >However, in the current official dictionary, Microsoft OS CPE names
> >appear as:
> >
> >
> >
> >cpe:/o:microsoft:windows_xp::sp2:professional (I use this example
> >because the current version doesn't contain the official name for XP
> >SP3 Pro yet)
> >
> >
> >
> >Please note that the dictionary entry is correct; the determination
> >to have this entry as it appears was made previous to the submission.
> >
> >
> >
> >My curiosity stems from the premise that if an available product,
> >delivered with the OS by the vendor, can produce viable version
> >information, it should be included in the CPE.  The specification
> >does not state the version component is required, but does imply on
> >page 5 that it should be included if available:
> >
> >
> >
> >"Where the specification does not define specific structure, (for
> >example, information beyond the vendor/product/version components)
> >one should refer to the CPE Dictionary to make sure a similar name
> >does not already exist."
> >
> >
> >
> >It would be helpful if there are going to be exceptions in the
> >process, the specification would define those entities and why they
> >need special considerations.
> >
> >
> >
> >Here at the NVD, we require analysts minimally provide
> >vendor/product/versions if available.  This is often difficult to
> >find, especially when it comes to open source products.  But in the
> >Microsoft case, the vendor gives this information specifically to us
> >by way of this tool, yet we don't use it.
> >
> >
> >
> >Does anyone else think this information would be useful since it is
> >so easily attainable?
> >
> >
> >
> >Thank you for your time,
> >
> >
> >
> >Chuck Wergin
> >
> >National Vulnerability Database
> >
> >nvd.nist.gov


smime.p7s (6K) Download Attachment
Chuck Wergin

Re: Microsoft OS CPE Names

Reply Threaded More More options
Print post
Permalink
Joe, I think this answers your question:

When we create a CPE, we use whatever versions we can confirm.  If the  
party reporting the vuln is using a beta or pre-release version  
number, and provides it, we take it.  If we can confirm that the  
number isn't valid, by way of researching the vendor's website, we  
usually choose to not use it.

At the NVD, when we receive CVEs to analyze, the verbiage in the  
description may include "and earlier" or "before version x".  For  
completeness, and because as far as I know a vuln scanner doesn't know  
what "and earlier" means, we try to include any versions we can  
validate have been made available and are affected.   We do this by  
trying to locate a change log from the vendor.

In the MS case, they publish all of their versions of their products.  
Further more, running msinfo32 provides all of the version information  
we need to be accurate.

I would like to submit that at a minimum for MS OSs we include the  
version numbers in the Official CPE dictionary.

Example:

For a 64-bit version of Windows Vista Home Premium with SP1, msinfo32 returns

OS Name:  Microsoft Windows Vista Home Premium
Version:  6.0.6001 Service Pack 1 Build 6001

Therefore the CPE should be

cpe:/o:microsoft:windows_vista:6.0.6001:sp1:x64


Thanks,

Chuck Wergin
National Vulnerability Database
nvd.nist.gov

Quoting "Wolfkiel, Joseph" <[hidden email]>:

> I hadn't heard about the versions of service packs problem until now.
>
> Chuck,  Is the sub-minor version number used by NVD to discriminate between
> versions, or is it usually just the major and minor version information?
>
> Is it reasonable come up with a convention for how much detail in the MS
> version field we capture?
>
>
> Lt Col Joseph L. Wolfkiel
> Director, Computer Network Defense Research & Technology (CND R&T) Program
> Management Office
> 9800 Savage Rd Ste 6767
> Ft Meade, MD 20755-6767
> Commercial 410-854-5401 DSN 244-5401
> Fax 410-854-6700
>
> -----Original Message-----
> From: Gary Newman [mailto:[hidden email]]
> Sent: Tuesday, April 14, 2009 1:14 PM
> To: [hidden email]
> Subject: Re: [CPE-DISCUSSION-LIST] Microsoft OS CPE Names
>
> I agreee that Chuck seems to be asking only if there's any rationale for why
> some of the dictionary components are populated where others aren't in the
> dictionary.  I don't think he's looking for a different naming.
>
> As to the version numbers, it's probably reasonable to add those for the
> OSes but impractical to keep up with those for applications.  Almost every
> month, Microsoft releases security updates that bump the version number on
> office applications.  Should we really expend the resources to keep up with
> those?
> Should we instead "trim" the version numbers to only the major.minor portion
> to
>
> help alleviate this issue?
>
> The same "tracking" problem arises if we attempt to keep beta versions in
> the dictionary.  Currently I've seen
>
> cpe:/o:microsoft:windows_vista:6.0.6002:sp2_v_113
> cpe:/o:microsoft:windows_vista:6.0.6002:sp2_v_286
>
> as two of the public beta Vista SP2 releases.  There are a lot more if we
> also include the versions seen by private beta participants.  Should CPE
> include all
>
> of those?
>
> Furthering Chuck's question, I'll ask the same about the language component.
>
> Although almost all of the Microsoft os editions are available in en-US,
> none are marked that way.  Although CPE is an enumeration, there's no
> enumeration of
>
> the OS languages available.  Perhaps we should at least mark the Microsoft
> oses
>
> with the en-US language.
>
>         -Gary-
>
>> I'm not completely sure that's what Chuck is saying.  Potentially, the
>> ID "cpe:/o:microsoft:windows_xp:5.1.2600:sp3:professional" would meet
>> his needs.  I'm not sure we need to re-open the vendor name versus
>> technically correct name discussion again to address whether MS OS
>> CPEs can contain version information.
>>
>>
>> Lt Col Joseph L. Wolfkiel
>> Director, Computer Network Defense Research & Technology (CND R&T)
>> Program Management Office 9800 Savage Rd Ste 6767 Ft Meade, MD
>> 20755-6767 Commercial 410-854-5401 DSN 244-5401 Fax 410-854-6700
>>
>> -----Original Message-----
>> From: Buttner, Drew [mailto:[hidden email]]
>> Sent: Monday, April 13, 2009 9:54 AM
>> To: [hidden email]
>> Subject: Re: [CPE-DISCUSSION-LIST] Microsoft OS CPE Names
>>
>> Chuck,
>>
>> Back in October of 2007, the CPE Community decided that CPE Names for
>> the Windows operating system should be based off of the commonly known
>> marketing name, as opposed to kernel:version.  The reason being to
>> make it easier for users of CPE since they know each product by the
>> marketing name.  Please see the following thread (and the other
>> threads that it references) for a recap of the issue and the resolution.
>>
>> http://n2.nabble.com/VOTE---Microsoft-Windows-OS-CPE-Name-tp87996p8799
>> 6.html
>>
>> I personally am in agreement with you Chuck in that a name based on
>> technical details would be better.  But at the end of the day, the
>> main goal is to have a unique name for each platform type, and the
>> current dictionary accomplishes this.
>>
>> Unless there are others in the community that want to re-open the
>> issue, we should keep trying to work with the current CPE Names.
>>
>> Thanks
>> Drew
>>
>>
>> >-----Original Message-----
>> >From: Wergin, Charles [USA] [mailto:[hidden email]]
>> >Sent: Wednesday, April 01, 2009 12:10 PM
>> >To: cpe-discussion-list CPE Community Forum
>> >Subject: [CPE-DISCUSSION-LIST] Microsoft OS CPE Names
>> >
>> >Hello,
>> >
>> >
>> >
>> >Can some one please explain to me why the version for Microsoft
>> >operating systems don't include versions?  If I run msinfo32 on my
>> >Windows hardware, I get the following:
>> >
>> >
>> >
>> >OS Name          Microsoft Windows XP Professional
>> >
>> >Version             5.1.2600 Service Pack 3 Build 2600
>> >
>> >
>> >
>> >So, from the specification, the CPE should be:
>> >
>> >
>> >
>> >cpe:/o:microsoft:windows:5.1.2600:sp3:professional
>> >
>> >
>> >
>> >However, in the current official dictionary, Microsoft OS CPE names
>> >appear as:
>> >
>> >
>> >
>> >cpe:/o:microsoft:windows_xp::sp2:professional (I use this example
>> >because the current version doesn't contain the official name for XP
>> >SP3 Pro yet)
>> >
>> >
>> >
>> >Please note that the dictionary entry is correct; the determination
>> >to have this entry as it appears was made previous to the submission.
>> >
>> >
>> >
>> >My curiosity stems from the premise that if an available product,
>> >delivered with the OS by the vendor, can produce viable version
>> >information, it should be included in the CPE.  The specification
>> >does not state the version component is required, but does imply on
>> >page 5 that it should be included if available:
>> >
>> >
>> >
>> >"Where the specification does not define specific structure, (for
>> >example, information beyond the vendor/product/version components)
>> >one should refer to the CPE Dictionary to make sure a similar name
>> >does not already exist."
>> >
>> >
>> >
>> >It would be helpful if there are going to be exceptions in the
>> >process, the specification would define those entities and why they
>> >need special considerations.
>> >
>> >
>> >
>> >Here at the NVD, we require analysts minimally provide
>> >vendor/product/versions if available.  This is often difficult to
>> >find, especially when it comes to open source products.  But in the
>> >Microsoft case, the vendor gives this information specifically to us
>> >by way of this tool, yet we don't use it.
>> >
>> >
>> >
>> >Does anyone else think this information would be useful since it is
>> >so easily attainable?
>> >
>> >
>> >
>> >Thank you for your time,
>> >
>> >
>> >
>> >Chuck Wergin
>> >
>> >National Vulnerability Database
>> >
>> >nvd.nist.gov
>
Andrew Buttner

Re: Microsoft OS CPE Names

Reply Threaded More More options
Print post
Permalink
In reply to this post by Gary Newman-2
>As to the version numbers, it's probably reasonable to add those for the
>OSes but impractical to keep up with those for applications.  Almost
>every month, Microsoft releases security updates that bump the version
>number on office applications.  Should we really expend the resources
>to keep up with those? Should we instead "trim" the version numbers to
>only the major.minor portion to help alleviate this issue?

I would agree.  I'd add that anything resembling an update would be used to build the Update component.  Put another way, the Version component should be everything in the version string up to what is used for update and edition pieces.


>Furthering Chuck's question, I'll ask the same about the language
>component. Although almost all of the Microsoft os editions are
>available in en-US, none are marked that way.  Although CPE is
>an enumeration, there's no enumeration of the OS languages
>available.  Perhaps we should at least mark the Microsoft oses
>with the en-US language.

My guess is that most current users of the Microsoft CPE Names want to identify the platform type that represents every possible language.  So I think we still need the names with the blank language component.  But a user's specific need calls for the English version of Windows Vista then they should use the en-us name.  If that name isn't in the dictionary then it should be submitted for inclusion.  Agree?

Thanks
Drew
Gary Newman-2

Re: Microsoft OS CPE Names

Reply Threaded More More options
Print post
Permalink
In reply to this post by Chuck Wergin
Hi Chuck,

Why are you leaving off the home_premium part of the edition?  Then the full
cpe name woould be

        cpe:/o:microsoft:windows_vista:6.0.6001:sp1:home_premium_x64

Yes?

   -Gary-

> Joe, I think this answers your question:
>
> When we create a CPE, we use whatever versions we can confirm.  If the
> party reporting the vuln is using a beta or pre-release version
> number, and provides it, we take it.  If we can confirm that the
> number isn't valid, by way of researching the vendor's website, we
> usually choose to not use it.
>
> At the NVD, when we receive CVEs to analyze, the verbiage in the
> description may include "and earlier" or "before version x".  For
> completeness, and because as far as I know a vuln scanner doesn't know
> what "and earlier" means, we try to include any versions we can
> validate have been made available and are affected.   We do this by
> trying to locate a change log from the vendor.
>
> In the MS case, they publish all of their versions of their products.
> Further more, running msinfo32 provides all of the version information
> we need to be accurate.
>
> I would like to submit that at a minimum for MS OSs we include the
> version numbers in the Official CPE dictionary.
>
> Example:
>
> For a 64-bit version of Windows Vista Home Premium with SP1, msinfo32 returns
>
> OS Name:  Microsoft Windows Vista Home Premium
> Version:  6.0.6001 Service Pack 1 Build 6001
>
> Therefore the CPE should be
>
> cpe:/o:microsoft:windows_vista:6.0.6001:sp1:x64
>
>
> Thanks,
>
> Chuck Wergin
> National Vulnerability Database
> nvd.nist.gov
>
> Quoting "Wolfkiel, Joseph" <[hidden email]>:
>
> > I hadn't heard about the versions of service packs problem until now.
> >
> > Chuck,  Is the sub-minor version number used by NVD to discriminate between
> > versions, or is it usually just the major and minor version information?
> >
> > Is it reasonable come up with a convention for how much detail in the MS
> > version field we capture?
> >
> >
> > Lt Col Joseph L. Wolfkiel
> > Director, Computer Network Defense Research & Technology (CND R&T) Program
> > Management Office
> > 9800 Savage Rd Ste 6767
> > Ft Meade, MD 20755-6767
> > Commercial 410-854-5401 DSN 244-5401
> > Fax 410-854-6700
> >
> > -----Original Message-----
> > From: Gary Newman [mailto:[hidden email]]
> > Sent: Tuesday, April 14, 2009 1:14 PM
> > To: [hidden email]
> > Subject: Re: [CPE-DISCUSSION-LIST] Microsoft OS CPE Names
> >
> > I agreee that Chuck seems to be asking only if there's any rationale for why
> > some of the dictionary components are populated where others aren't in the
> > dictionary.  I don't think he's looking for a different naming.
> >
> > As to the version numbers, it's probably reasonable to add those for the
> > OSes but impractical to keep up with those for applications.  Almost every
> > month, Microsoft releases security updates that bump the version number on
> > office applications.  Should we really expend the resources to keep up with
> > those?
> > Should we instead "trim" the version numbers to only the major.minor portion
> > to
> >
> > help alleviate this issue?
> >
> > The same "tracking" problem arises if we attempt to keep beta versions in
> > the dictionary.  Currently I've seen
> >
> > cpe:/o:microsoft:windows_vista:6.0.6002:sp2_v_113
> > cpe:/o:microsoft:windows_vista:6.0.6002:sp2_v_286
> >
> > as two of the public beta Vista SP2 releases.  There are a lot more if we
> > also include the versions seen by private beta participants.  Should CPE
> > include all
> >
> > of those?
> >
> > Furthering Chuck's question, I'll ask the same about the language component.
> >
> > Although almost all of the Microsoft os editions are available in en-US,
> > none are marked that way.  Although CPE is an enumeration, there's no
> > enumeration of
> >
> > the OS languages available.  Perhaps we should at least mark the Microsoft
> > oses
> >
> > with the en-US language.
> >
> >         -Gary-
> >
> >> I'm not completely sure that's what Chuck is saying.  Potentially, the
> >> ID "cpe:/o:microsoft:windows_xp:5.1.2600:sp3:professional" would meet
> >> his needs.  I'm not sure we need to re-open the vendor name versus
> >> technically correct name discussion again to address whether MS OS
> >> CPEs can contain version information.
> >>
> >>
> >> Lt Col Joseph L. Wolfkiel
> >> Director, Computer Network Defense Research & Technology (CND R&T)
> >> Program Management Office 9800 Savage Rd Ste 6767 Ft Meade, MD
> >> 20755-6767 Commercial 410-854-5401 DSN 244-5401 Fax 410-854-6700
> >>
> >> -----Original Message-----
> >> From: Buttner, Drew [mailto:[hidden email]]
> >> Sent: Monday, April 13, 2009 9:54 AM
> >> To: [hidden email]
> >> Subject: Re: [CPE-DISCUSSION-LIST] Microsoft OS CPE Names
> >>
> >> Chuck,
> >>
> >> Back in October of 2007, the CPE Community decided that CPE Names for
> >> the Windows operating system should be based off of the commonly known
> >> marketing name, as opposed to kernel:version.  The reason being to
> >> make it easier for users of CPE since they know each product by the
> >> marketing name.  Please see the following thread (and the other
> >> threads that it references) for a recap of the issue and the resolution.
> >>
> >> http://n2.nabble.com/VOTE---Microsoft-Windows-OS-CPE-Name-tp87996p8799
> >> 6.html
> >>
> >> I personally am in agreement with you Chuck in that a name based on
> >> technical details would be better.  But at the end of the day, the
> >> main goal is to have a unique name for each platform type, and the
> >> current dictionary accomplishes this.
> >>
> >> Unless there are others in the community that want to re-open the
> >> issue, we should keep trying to work with the current CPE Names.
> >>
> >> Thanks
> >> Drew
> >>
> >>
> >> >-----Original Message-----
> >> >From: Wergin, Charles [USA] [mailto:[hidden email]]
> >> >Sent: Wednesday, April 01, 2009 12:10 PM
> >> >To: cpe-discussion-list CPE Community Forum
> >> >Subject: [CPE-DISCUSSION-LIST] Microsoft OS CPE Names
> >> >
> >> >Hello,
> >> >
> >> >
> >> >
> >> >Can some one please explain to me why the version for Microsoft
> >> >operating systems don't include versions?  If I run msinfo32 on my
> >> >Windows hardware, I get the following:
> >> >
> >> >
> >> >
> >> >OS Name          Microsoft Windows XP Professional
> >> >
> >> >Version             5.1.2600 Service Pack 3 Build 2600
> >> >
> >> >
> >> >
> >> >So, from the specification, the CPE should be:
> >> >
> >> >
> >> >
> >> >cpe:/o:microsoft:windows:5.1.2600:sp3:professional
> >> >
> >> >
> >> >
> >> >However, in the current official dictionary, Microsoft OS CPE names
> >> >appear as:
> >> >
> >> >
> >> >
> >> >cpe:/o:microsoft:windows_xp::sp2:professional (I use this example
> >> >because the current version doesn't contain the official name for XP
> >> >SP3 Pro yet)
> >> >
> >> >
> >> >
> >> >Please note that the dictionary entry is correct; the determination
> >> >to have this entry as it appears was made previous to the submission.
> >> >
> >> >
> >> >
> >> >My curiosity stems from the premise that if an available product,
> >> >delivered with the OS by the vendor, can produce viable version
> >> >information, it should be included in the CPE.  The specification
> >> >does not state the version component is required, but does imply on
> >> >page 5 that it should be included if available:
> >> >
> >> >
> >> >
> >> >"Where the specification does not define specific structure, (for
> >> >example, information beyond the vendor/product/version components)
> >> >one should refer to the CPE Dictionary to make sure a similar name
> >> >does not already exist."
> >> >
> >> >
> >> >
> >> >It would be helpful if there are going to be exceptions in the
> >> >process, the specification would define those entities and why they
> >> >need special considerations.
> >> >
> >> >
> >> >
> >> >Here at the NVD, we require analysts minimally provide
> >> >vendor/product/versions if available.  This is often difficult to
> >> >find, especially when it comes to open source products.  But in the
> >> >Microsoft case, the vendor gives this information specifically to us
> >> >by way of this tool, yet we don't use it.
> >> >
> >> >
> >> >
> >> >Does anyone else think this information would be useful since it is
> >> >so easily attainable?
> >> >
> >> >
> >> >
> >> >Thank you for your time,
> >> >
> >> >
> >> >
> >> >Chuck Wergin
> >> >
> >> >National Vulnerability Database
> >> >
> >> >nvd.nist.gov
> >
>
>
Wergin, Charles [USA]

Re: Microsoft OS CPE Names

Reply Threaded More More options
Print post
Permalink
Some javascript/style in this post has been disabled (why?)
RE: [CPE-DISCUSSION-LIST] Microsoft OS CPE Names

Agreed.  But again, the spec needs to define the order.

-chuck w.


-----Original Message-----
From: Gary Newman [[hidden email]]
Sent: Wed 4/15/2009 5:47 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Microsoft OS CPE Names

Hi Chuck,

Why are you leaving off the home_premium part of the edition?  Then the full
cpe name woould be

        cpe:/o:microsoft:windows_vista:6.0.6001:sp1:home_premium_x64

Yes?

   -Gary-

> Joe, I think this answers your question:
>
> When we create a CPE, we use whatever versions we can confirm.  If the
> party reporting the vuln is using a beta or pre-release version
> number, and provides it, we take it.  If we can confirm that the
> number isn't valid, by way of researching the vendor's website, we
> usually choose to not use it.
>
> At the NVD, when we receive CVEs to analyze, the verbiage in the
> description may include "and earlier" or "before version x".  For
> completeness, and because as far as I know a vuln scanner doesn't know
> what "and earlier" means, we try to include any versions we can
> validate have been made available and are affected.   We do this by
> trying to locate a change log from the vendor.
>
> In the MS case, they publish all of their versions of their products.
> Further more, running msinfo32 provides all of the version information
> we need to be accurate.
>
> I would like to submit that at a minimum for MS OSs we include the
> version numbers in the Official CPE dictionary.
>
> Example:
>
> For a 64-bit version of Windows Vista Home Premium with SP1, msinfo32 returns
>
> OS Name:  Microsoft Windows Vista Home Premium
> Version:  6.0.6001 Service Pack 1 Build 6001
>
> Therefore the CPE should be
>
> cpe:/o:microsoft:windows_vista:6.0.6001:sp1:x64
>
>
> Thanks,
>
> Chuck Wergin
> National Vulnerability Database
> nvd.nist.gov
>
> Quoting "Wolfkiel, Joseph" <[hidden email]>:
>
> > I hadn't heard about the versions of service packs problem until now.
> >
> > Chuck,  Is the sub-minor version number used by NVD to discriminate between
> > versions, or is it usually just the major and minor version information?
> >
> > Is it reasonable come up with a convention for how much detail in the MS
> > version field we capture?
> >
> >
> > Lt Col Joseph L. Wolfkiel
> > Director, Computer Network Defense Research & Technology (CND R&T) Program
> > Management Office
> > 9800 Savage Rd Ste 6767
> > Ft Meade, MD 20755-6767
> > Commercial 410-854-5401 DSN 244-5401
> > Fax 410-854-6700
> >
> > -----Original Message-----
> > From: Gary Newman [[hidden email]]
> > Sent: Tuesday, April 14, 2009 1:14 PM
> > To: [hidden email]
> > Subject: Re: [CPE-DISCUSSION-LIST] Microsoft OS CPE Names
> >
> > I agreee that Chuck seems to be asking only if there's any rationale for why
> > some of the dictionary components are populated where others aren't in the
> > dictionary.  I don't think he's looking for a different naming.
> >
> > As to the version numbers, it's probably reasonable to add those for the
> > OSes but impractical to keep up with those for applications.  Almost every
> > month, Microsoft releases security updates that bump the version number on
> > office applications.  Should we really expend the resources to keep up with
> > those?
> > Should we instead "trim" the version numbers to only the major.minor portion
> > to
> >
> > help alleviate this issue?
> >
> > The same "tracking" problem arises if we attempt to keep beta versions in
> > the dictionary.  Currently I've seen
> >
> > cpe:/o:microsoft:windows_vista:6.0.6002:sp2_v_113
> > cpe:/o:microsoft:windows_vista:6.0.6002:sp2_v_286
> >
> > as two of the public beta Vista SP2 releases.  There are a lot more if we
> > also include the versions seen by private beta participants.  Should CPE
> > include all
> >
> > of those?
> >
> > Furthering Chuck's question, I'll ask the same about the language component.
> >
> > Although almost all of the Microsoft os editions are available in en-US,
> > none are marked that way.  Although CPE is an enumeration, there's no
> > enumeration of
> >
> > the OS languages available.  Perhaps we should at least mark the Microsoft
> > oses
> >
> > with the en-US language.
> >
> >         -Gary-
> >
> >> I'm not completely sure that's what Chuck is saying.  Potentially, the
> >> ID "cpe:/o:microsoft:windows_xp:5.1.2600:sp3:professional" would meet
> >> his needs.  I'm not sure we need to re-open the vendor name versus
> >> technically correct name discussion again to address whether MS OS
> >> CPEs can contain version information.
> >>
> >>
> >> Lt Col Joseph L. Wolfkiel
> >> Director, Computer Network Defense Research & Technology (CND R&T)
> >> Program Management Office 9800 Savage Rd Ste 6767 Ft Meade, MD
> >> 20755-6767 Commercial 410-854-5401 DSN 244-5401 Fax 410-854-6700
> >>
> >> -----Original Message-----
> >> From: Buttner, Drew [[hidden email]]
> >> Sent: Monday, April 13, 2009 9:54 AM
> >> To: [hidden email]
> >> Subject: Re: [CPE-DISCUSSION-LIST] Microsoft OS CPE Names
> >>
> >> Chuck,
> >>
> >> Back in October of 2007, the CPE Community decided that CPE Names for
> >> the Windows operating system should be based off of the commonly known
> >> marketing name, as opposed to kernel:version.  The reason being to
> >> make it easier for users of CPE since they know each product by the
> >> marketing name.  Please see the following thread (and the other
> >> threads that it references) for a recap of the issue and the resolution.
> >>
> >> http://n2.nabble.com/VOTE---Microsoft-Windows-OS-CPE-Name-tp87996p8799
> >> 6.html
> >>
> >> I personally am in agreement with you Chuck in that a name based on
> >> technical details would be better.  But at the end of the day, the
> >> main goal is to have a unique name for each platform type, and the
> >> current dictionary accomplishes this.
> >>
> >> Unless there are others in the community that want to re-open the
> >> issue, we should keep trying to work with the current CPE Names.
> >>
> >> Thanks
> >> Drew
> >>
> >>
> >> >-----Original Message-----
> >> >From: Wergin, Charles [USA] [[hidden email]]
> >> >Sent: Wednesday, April 01, 2009 12:10 PM
> >> >To: cpe-discussion-list CPE Community Forum
> >> >Subject: [CPE-DISCUSSION-LIST] Microsoft OS CPE Names
> >> >
> >> >Hello,
> >> >
> >> >
> >> >
> >> >Can some one please explain to me why the version for Microsoft
> >> >operating systems don't include versions?  If I run msinfo32 on my
> >> >Windows hardware, I get the following:
> >> >
> >> >
> >> >
> >> >OS Name          Microsoft Windows XP Professional
> >> >
> >> >Version             5.1.2600 Service Pack 3 Build 2600
> >> >
> >> >
> >> >
> >> >So, from the specification, the CPE should be:
> >> >
> >> >
> >> >
> >> >cpe:/o:microsoft:windows:5.1.2600:sp3:professional
> >> >
> >> >
> >> >
> >> >However, in the current official dictionary, Microsoft OS CPE names
> >> >appear as:
> >> >
> >> >
> >> >
> >> >cpe:/o:microsoft:windows_xp::sp2:professional (I use this example
> >> >because the current version doesn't contain the official name for XP
> >> >SP3 Pro yet)
> >> >
> >> >
> >> >
> >> >Please note that the dictionary entry is correct; the determination
> >> >to have this entry as it appears was made previous to the submission.
> >> >
> >> >
> >> >
> >> >My curiosity stems from the premise that if an available product,
> >> >delivered with the OS by the vendor, can produce viable version
> >> >information, it should be included in the CPE.  The specification
> >> >does not state the version component is required, but does imply on
> >> >page 5 that it should be included if available:
> >> >
> >> >
> >> >
> >> >"Where the specification does not define specific structure, (for
> >> >example, information beyond the vendor/product/version components)
> >> >one should refer to the CPE Dictionary to make sure a similar name
> >> >does not already exist."
> >> >
> >> >
> >> >
> >> >It would be helpful if there are going to be exceptions in the
> >> >process, the specification would define those entities and why they
> >> >need special considerations.
> >> >
> >> >
> >> >
> >> >Here at the NVD, we require analysts minimally provide
> >> >vendor/product/versions if available.  This is often difficult to
> >> >find, especially when it comes to open source products.  But in the
> >> >Microsoft case, the vendor gives this information specifically to us
> >> >by way of this tool, yet we don't use it.
> >> >
> >> >
> >> >
> >> >Does anyone else think this information would be useful since it is
> >> >so easily attainable?
> >> >
> >> >
> >> >
> >> >Thank you for your time,
> >> >
> >> >
> >> >
> >> >Chuck Wergin
> >> >
> >> >National Vulnerability Database
> >> >
> >> >nvd.nist.gov
> >
>
>

Free Embeddable Forum Powered by Nabble Help