Analysis of Windows Vulnerability Scan

こんにちは, OSSのVulsへContributeしているMaineK00nです.
今回は, OSSで公開されたWindowsの脆弱性検知をVuls祭り#7のスライドをもとにして解説していきたいと思います.
また, Vuls祭り#7@YouTubeで当日の発表の様子を見ることが出来ます.

以前, Windows Vulnerability Scanというタイトルで投稿した記事では, 更新プログラムの置き換えや, マシンの更新プログラムの適用状況を調べる方法について紹介しているため, 併せて読むと理解が深まるかもしれません.

VulsでのWindows脆弱性検知ステータス

はじめに, 少し簡単にVulsでのWindows対応ステータスをまとめました.

ローカルスキャン, リモートスキャン(SSH), サーバスキャンすべて使える
リモートスキャンを使えば, Windows → Linux, Linux → Windowsのスキャンもできる
サーバスキャンなら, スキャン対象のマシンにVulsバイナリの用意や, SSHサーバの設定は必要なく, systeminfo.exeの結果をリクエストするだけでよい
脆弱性DBを用意すれば, オンライン, オフラインに関わらず検知可能である

利用している脆弱性情報

Microsoft Security Research Center: MSRCが提供しているCVRF¹とBulletinSearch² ³を利用している.
基本的に, これらの脆弱性情報には, 各脆弱性とそれを修正するKBIDがプロダクトごとに記述されており, Microsoft Edgeのような製品は, KBIDではなく修正バージョンが記述されることもある.

また, 更新プログラムの置き換え情報はCVRF, BulletinSearch以外に, オフラインスキャンで利用されるWsusscn2.cab⁴やWindows Update Catalog⁵からも収集している. CVRFやBulletinSearchの情報だけでは脆弱性に紐づくKBの前後しか分からないため, 置き換え情報の構成には不十分なのである.

Vulsでは, これらのデータソースを vulsio/windows-vuln-feed リポジトリで収集し, 管理している. 脆弱性情報や更新プログラムの置き換え情報で誤りや漏れがある場合はこちらのリポジトリにissueで報告してもらえると助かります.

また, vulsio/windows-vuln-feed リポジトリで管理するデータを利用するために, vulsio/gost リポジトリを提供している.
簡単な使い方を紹介する.

  
  




$ git clone https://github.com/vulsio/gost.git
$ make install
$ gost fetch microsoft
INFO[03-17|01:52:04] Initialize Database 
INFO[03-17|01:52:04] Fetched all CVEs from Microsoft 
INFO[03-17|01:52:06] Insert Microsoft CVEs into DB            db=sqlite3
INFO[03-17|01:52:06] Inserting cves                           cves=11813
11813 / 11813 [----------------------------------------------------------------------------] 100.00% 2904 p/s
INFO[03-17|01:52:10] Insert KB Relation                       relations=6339
6339 / 6339 [------------------------------------------------------------------------------] 100.00% 5418 p/s

$ gost server
INFO[03-17|01:52:48] Starting HTTP Server... 
INFO[03-17|01:52:48] Listening                                URL=127.0.0.1:1325

   ____    __
  / __/___/ /  ___
 / _// __/ _ \/ _ \
/___/\__/_//_/\___/ v3.3.10-dev
High performance, minimalist Go web framework
https://echo.labstack.com
____________________________________O/_______
                                    O\
⇨ http server started on 127.0.0.1:1325
{"time":"2023-03-17T01:53:27.583056389+09:00","id":"","remote_ip":"127.0.0.1","host":"127.0.0.1:1325","method":"GET","uri":"/microsoft/cves/CVE-2020-27844","user_agent":"curl/7.81.0","status":200,"error":"","latency":606859,"latency_human":"606.859µs","bytes_in":0,"bytes_out":2588}
{"time":"2023-03-17T01:54:09.395139706+09:00","id":"","remote_ip":"127.0.0.1","host":"127.0.0.1:1325","method":"POST","uri":"/microsoft/kbs","user_agent":"curl/7.81.0","status":200,"error":"","latency":1257395,"latency_human":"1.257395ms","bytes_in":50,"bytes_out":178}
{"time":"2023-03-17T01:58:13.061191365+09:00","id":"","remote_ip":"127.0.0.1","host":"127.0.0.1:1325","method":"POST","uri":"/microsoft/filtered-cves","user_agent":"curl/7.81.0","status":200,"error":"","latency":153815619,"latency_human":"153.815619ms","bytes_in":57,"bytes_out":174274}

// CVRFやBulletinSearchで定義された脆弱性情報がレスポンスされる
$ curl http://127.0.0.1:1325/microsoft/cves/CVE-2020-27844 | jq .
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2588    0  2588    0     0  2537k      0 --:--:-- --:--:-- --:--:-- 2527k
{
  "cve_id": "CVE-2020-27844",
  "title": "Chromium CVE-2020-27844: Heap buffer overflow in OpenJPEG",
  "description": "<p>This CVE was assigned by Chrome.  Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see <a href=\"https://chromereleases.googleblog.com/2021\">Google Chrome Releases</a> for more information.</p>",
  "faq": "<p><strong>Why is this Chrome CVE included in the Security Update Guide?</strong></p>\n<p>The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based).  It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.  Please see <a href=\"https://msrc-blog.microsoft.com/2021/01/13/security-update-guide-supports-cves-assigned-by-industry-partners/\">Security Update Guide Supports CVEs Assigned by Industry Partners</a> for more information.</p>\n<p><strong>How can I see the version of the browser?</strong></p>\n<ol>\n<li>In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window</li>\n<li>Click on <strong>Help and Feedback</strong></li>\n<li>Click on <strong>About Microsoft Edge</strong></li>\n</ol>\n<p><strong>What is the version information for this release?</strong></p>\n<table>\n<thead>\n<tr>\n<th>Microsoft Edge Version</th>\n<th>Date Released</th>\n<th>Based on Chromium Version</th>\n</tr>\n</thead>\n<tbody>\n<tr>\n<td>89.0.774.45</td>\n<td>3/4/2021</td>\n<td>89.0.4389.72</td>\n</tr>\n</tbody>\n</table>",
  "tag": "Microsoft Edge (Chromium-based)",
  "cna": "Chrome",
  "exploit_status": "DOS:N/A",
  "mitigation": "",
  "workaround": "",
  "products": [
    {
      "product_id": "11655",
      "name": "Microsoft Edge (Chromium-based)",
      "impact": "",
      "severity": "",
      "score_set": {
        "base_score": "",
        "temporal_score": "",
        "vector": ""
      },
      "kbs": []
    }
  ],
  "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-27844",
  "acknowledgments": "",
  "publish_date": "2021-03-04T20:03:54Z",
  "last_update_date": "2021-03-04T20:03:54Z"
}

// リクエストした適用済みKBIDと未適用KBIDから更新プログラムの置き換えを展開する
$ curl -H "Content-type: application/json" -X POST -d '{"applied": ["3194343"], "unapplied": ["4503327"]}' http://127.0.0.1:1325/microsoft/kbs | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   228  100   178  100    50  63753  17908 --:--:-- --:--:-- --:--:--  111k
{
  "applied": [
    "3194343"
  ],
  "unapplied": [
    "3202790",
    "3209498",
    "3214628",
    "4512578",
    "4503327",
    "4014329",
    "4020821",
    "4022730",
    "3201860",
    "4025376",
    "4511553",
    "4010250",
    "4018483",
    "4507469"
  ]
}

// Productに関係する脆弱性のうち, KBで修正可能な脆弱性や更新プログラムが提供されていない脆弱性を求める
$ curl -H "Content-type: application/json" -X POST -d '{"products": ["Windows Server 2019"], "kbs": ["4503327"]}' http://127.0.0.1:1325/microsoft/filtered-cves | jq | pbcopy
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  170k    0  170k  100    57  1097k    367 --:--:-- --:--:-- --:--:-- 1098k
...
"CVE-2013-3900": {
    "cve_id": "CVE-2013-3900",
    "title": "WinVerifyTrust Signature Validation Vulnerability",
    "description": "<p><strong>Why is Microsoft republishing a CVE from 2013?</strong></p>\n<p>We are republishing CVE-2013-3900 in the Security Update Guide to update the <strong>Security Updates</strong> table and to inform customers that the EnableCertPaddingCheck is available in all currently supported versions of Windows 10 and Windows 11. While the format is different from the original CVE published in 2013, the information herein remains unchanged from the original text published on December 10, 2013.</p>\n<p>Microsoft does not plan to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. This behavior remains available as an opt-in feature via reg key setting, and is available on supported editions of Windows released since December 10, 2013. This includes all currently supported versions of Windows 10 and Windows 11. The reg key already exists in Window 10 and Window 11, so no security update is required but the reg key must be set. See the <strong>Security Updates</strong> table for the list of affected software.</p>\n<p><strong>Vulnerability Description</strong></p>\n<p>A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable (PE) files. An anonymous attacker could exploit the vulnerability by modifying an existing signed executable file to leverage unverified portions of the file in such a way as to add malicious code to the file without invalidating the signature. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p>\n<p>If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p>\n<p>Exploitation of this vulnerability requires that a user or application run or install a specially crafted, signed PE file. An attacker could modify an existing signed file to include malicious code without invalidating the signature. This code would execute in the context of the privilege in which the signed PE file was launched.</p>\n<p>In an email attack scenario, an attacker could exploit this vulnerability by sending a user an email message containing the specially crafted PE file and convincing the user to open the file.</p>\n<p>In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted PE file. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could be used to exploit this vulnerability. An attacker would have no way to force users to visit a website that is hosting the specially crafted PE file. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that directs them to the attacker's website.</p>\n<p><strong>Update History</strong></p>\n<p>On December 10, 2013, Microsoft released an update for all supported releases of Microsoft Windows that changes how signatures are verified for binaries signed with the Windows Authenticode signature format. This change can be enabled on an opt-in basis. When enabled, the new behavior for Windows Authenticode signature verification will no longer allow extraneous information in the WIN_CERTIFICATE structure, and Windows will no longer recognize non-compliant binaries as signed. On July 29, 2014 Microsoft announced that it no longer plans to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. To this date, it remains available as an opt-in feature in all currently supported releases of Microsoft Windows.</p>\n<p><strong>Recommendation</strong>. Microsoft recommends that executables authors consider conforming all signed binaries to the new verification standard by ensuring that they contain no extraneous information in the WIN_CERTIFICATE structure. Microsoft also recommends that customers appropriately test this change to evaluate how it will behave in their environments. Please see the <strong>Suggested Actions</strong> section for more information.</p>",
    "faq": "<p><strong>What is the result of opting into the stricter verification behavior?</strong></p>\n<p>Opting into the stricter verification behavior causes the WinVerifyTrust function to perform strict Windows Authenticode signature verification for PE files. After you opt in, PE files will be considered &quot;unsigned&quot; if Windows identifies content in them that does not conform to the Authenticode specification. This may impact some installers. If you are using an installer that is impacted, Microsoft recommends using an installer that only extracts content from validated portions of the signed file.</p>\n<p><strong>How can I enable the new signature verification behavior?</strong></p>\n<p>Customers who would like to enable the new Authenticode signature verification behavior can do so by setting a key in the system registry. When the key is set, Windows Authenticode signature verification will no longer recognize binaries with Authenticode signatures that contain extraneous information in the WIN_CERTIFICATE structure. Customers can choose to disable the functionality at any time by disabling this registry key. See <strong>Suggested Actions</strong> for instructions.</p>\n<p><strong>How can I disable the functionality?</strong></p>\n<p>Customers who have already enabled the stricter verification behavior, and have not experienced problems, can choose to leave the verification behavior enabled. Customers who are experiencing application compatibility problems with the new behavior, or customers who simply want to disable the new behavior, can disable the functionality by removing the EnableCertPaddingCheck registry key. See <strong>Suggested Actions</strong> for instructions.</p>\n<p><strong>If I do not want to enable this functionality, do I need to do anything?</strong></p>\n<p>No. The stricter verification behavior resides on the system but will be dormant functionality until enabled.</p>\n<p><strong>Does the new verification behavior affect already-installed software?</strong></p>\n<p>The new stricter verification behavior, when enabled, applies primarily to portable executable (PE) binaries that are signed with the Windows Authenticode signature format. Binaries that are not signed with this format or that do not use WinVerifyTrust to verify signatures are not affected by the new behavior. Binaries most likely to be affected are PE installer files distributed via the Internet that are customized at time of download. The most common scenario in which users could perceive an impact is during the downloading and installation of new applications. This is the case only if customers have chosen to enable the stricter verification behavior, after which users may observe warning messages when attempting to install new applications with signatures that fail validation.</p>\n<p><strong>Does the new verification behavior impact AppLocker policies?</strong></p>\n<p>For customers who have chosen to enable the stricter verification behavior, any AppLocker rule that depends on files being signed, or expects a specific publisher, may be impacted if the signature on a file does not meet the stricter Authenticode signature verification requirements.</p>\n<p><strong>Does the new verification behavior impact Windows Defender Application Control (WDAC)?</strong></p>\n<p>No. The new verification behavior does not impact WDAC.</p>\n<p><strong>Does the new verification behavior impact Software Restriction Policies?</strong></p>\n<p>For customers who have chosen to enable the stricter verification behavior, any Software Restriction Policy that depends on files being signed, or expects a specific publisher, may be impacted if the signature on a file does not meet the stricter Authenticode signature verification requirements.</p>\n<p><strong>The new stricter verification behavior deems my binary non-compliant. What are my options?</strong></p>\n<p>If a binary is deemed non-compliant with the stricter Authenticode signature verification behavior, this will not be a problem on systems that have not had the new verification behavior enabled because Microsoft is not enforcing the stricter behavior by default. However, to correct problems with a binary failing validation on systems where the new verification behavior has been enabled, that binary will need to be re-signed with strict adherence to the Windows Authenticode Signature format and specifically not include extraneous information in the WIN_CERTIFICATE structure.</p>\n<p><strong>Is there any possibility of a signature being recognized as non-compliant with the stricter verification process if I sign using non-Microsoft-provided signing tools?</strong></p>\n<p>Yes. For customers opting to enable the stricter verification behavior, signing binaries with non-Microsoft-provided signing tools runs the risk of signatures being recognized as non-compliant with the stricter verification behavior. Using Microsoft products, or signature tools Microsoft provides, such as signtool.exe, helps to ensure that signatures are recognized as compliant.</p>\n<p><strong>What is Windows Authenticode?</strong></p>\n<p>Windows Authenticode is a digital signature format that is used to determine the origin and integrity of software binaries. Authenticode uses Public-Key Cryptography Standards (PKCS) #7 signed data and X.509 certificates to bind an Authenticode-signed binary to the identity of a software publisher. The term &quot;Authenticode signature&quot; refers to a digital signature format that is generated and verified using the WinVerifyTrust function.</p>\n<p><strong>What is Windows Authenticode signature verification?</strong></p>\n<p>Windows Authenticode signature verification consists of two primary activities: signature checking on specified objects and trust verification. These activities are carried out by the WinVerifyTrust function, which executes a signature check then passes the inquiry to a trust provider that supports the action identifier, if one exists. For more technical information regarding the WinVerifyTrust function, see <a href=\"http://msdn.microsoft.com/en-us/library/aa388208(vs.85).aspx\">WinVerifyTrust function</a>. For an introduction to Authenticode, see <a href=\"http://msdn.microsoft.com/en-us/library/ms537361(v=vs.85).aspx\">Introduction to Code Signing</a>.</p>\n<h3>Suggested Actions</h3>\n<p><strong>Review Microsoft Root Certificate Program Technical Requirements</strong></p>\n<p>Customers who are interested in learning more about the topic covered in this advisory should review <a href=\"https://docs.microsoft.com/en-us/security/trusted-root/program-requirements\">Windows Root Certificate Program - Technical Requirements</a>.</p>\n<p><strong>Modify Binary Signing Processes</strong></p>\n<p>After reviewing the technical details underlying the change in Authenticode signature verification behavior, Microsoft recommends that customers ensure that their Authenticode signatures do not contain extraneous information in the WIN_CERTIFICATE structure. Microsoft also recommends that executables authors consider conforming their Authenticode-signed binaries to the new verification standard. Authors who have modified their binary signing processes and would like to enable the new behavior may do so on an opt-in basis. <a href=\"https://docs.microsoft.com/en-us/security/trusted-root/program-requirements\">Windows Root Certificate Program - Technical Requirements</a> for guidance.</p>\n<p><strong>Test the Improvement to Authenticode Signature Verification</strong></p>\n<p>Microsoft recommends that customers test how this change to Authenticode signature verification behaves in their environment before fully implementing it. To enable the Authenticode signature verification improvements, modify the registry to add the EnableCertPaddingCheck value as detailed below.</p>\n<p><strong>Warning</strong> Performing these steps to enable the functionality changes will cause non-conforming binaries to appear unsigned and, therefore, render them untrusted.</p>\n<p><strong>Note</strong> If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.</p>\n<p>To enable the functionality perform the following steps:</p>\n<p><strong>For 32-bit versions of Microsoft Windows</strong></p>\n<p>Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension (for example, enableAuthenticodeVerification.reg).</p>\n<pre><code>Windows Registry Editor Version 5.00  \n[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Wintrust\\Config]   \n&quot;EnableCertPaddingCheck&quot;=&quot;1&quot;  \n</code></pre>\n<p>You can apply this .reg file to individual systems by double-clicking it.</p>\n<p><strong>Note</strong> You must restart the system for your changes to take effect.</p>\n<p><strong>For 64-bit versions of Microsoft Windows</strong></p>\n<p>Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension (for example, enableAuthenticodeVerification64.reg).</p>\n<pre><code>Windows Registry Editor Version 5.00  \n[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Wintrust\\Config]   \n&quot;EnableCertPaddingCheck&quot;=&quot;1&quot;\n\n[HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Cryptography\\Wintrust\\Config] \n&quot;EnableCertPaddingCheck&quot;=&quot;1&quot;\n</code></pre>\n<p>You can apply this .reg file to individual systems by double-clicking it.</p>\n<p><strong>Note</strong> You must restart the system for your changes to take effect.</p>\n<p><strong>Impact of enabling the functionality change</strong>: Non-conforming binaries will appear unsigned and, therefore, be rendered untrusted.</p>\n<p><strong>How to disable the functionality</strong>. Perform the following to delete the registry value previously added.</p>\n<p>For 32-bit versions of Microsoft Windows, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension (for example, disableAuthenticodeVerification.reg).</p>\n<pre><code>Windows Registry Editor Version 5.00  \n[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Wintrust\\Config]   \n&quot;EnableCertPaddingCheck&quot;=-\n</code></pre>\n<p>You can apply this .reg file to individual systems by double-clicking it.</p>\n<p><strong>Note</strong> You must restart the system for your changes to take effect.</p>\n<p>For 64-bit versions of Microsoft Windows, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension (for example, disableAuthenticodeVerification64.reg).</p>\n<pre><code>Windows Registry Editor Version 5.00  \n[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Wintrust\\Config]   \n&quot;EnableCertPaddingCheck&quot;=-\n\n[HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Cryptography\\Wintrust\\Config]   \n&quot;EnableCertPaddingCheck&quot;=-\n</code></pre>\n<p>You can apply this .reg file to individual systems by double-clicking it.</p>\n<p><strong>Note</strong> You must restart the system for your changes to take effect.</p>",
    "tag": "WinVerifyTrust Signature Verification",
    "cna": "Microsoft",
    "exploit_status": "Publicly Disclosed:Yes;Exploited:Yes;Latest Software Release:Exploitation Detected;Older Software Release:Exploitation Detected;DOS:N/A",
    "mitigation": "",
    "workaround": "",
    "products": [
      {
        "product_id": "11571",
        "name": "Windows Server 2019",
        "impact": "Security Feature Bypass",
        "severity": "Important",
        "score_set": {
          "base_score": "7.4",
          "temporal_score": "6.4",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N/E:U/RL:O/RC:C"
        },
        "kbs": []
      }
    ],
    "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900",
    "acknowledgments": "",
    "publish_date": "2022-01-21T08:00:00Z",
    "last_update_date": "2022-01-21T08:00:00Z"
  },
  "CVE-2019-0620": {
    "cve_id": "CVE-2019-0620",
    "title": "Windows Hyper-V Remote Code Execution Vulnerability",
    "description": "<p>A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.</p>\n<p>An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.</p>\n<p>The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input.</p>",
    "faq": "",
    "tag": "Windows Hyper-V",
    "cna": "",
    "exploit_status": "Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely",
    "mitigation": "",
    "workaround": "",
    "products": [
      {
        "product_id": "11571",
        "name": "Windows Server 2019",
        "impact": "Remote Code Execution",
        "severity": "Critical",
        "score_set": {
          "base_score": "7.6",
          "temporal_score": "6.8",
          "vector": "CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C"
        },
        "kbs": [
          {
            "article": "4503327",
            "restart_required": "Yes",
            "sub_type": "Security Update",
            "fixed_build": "",
            "article_url": "https://support.microsoft.com/help/4503327",
            "download_url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4503327"
          }
        ]
      }
    ],
    "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0620",
    "acknowledgments": "HongZhenhao of IceSword Lab, Qihoo 360",
    "publish_date": "2019-06-11T07:00:00Z",
    "last_update_date": "2019-06-11T07:00:00Z"
  },
...




  
  

脆弱性検知の方針

CVE-2022-34708の定義を見る.
Windows 10 Version 21H2 for x64-based SystemsでKB5016616が未適用であるならば, CVE-2022-34708は影響すると判断できる.
これを機械的に処理するには, NameとArticleの情報を対象のマシンから集める必要がある.

  
  




{
  "CVEID": "CVE-2022-34708",
  "Title": "Windows Kernel Information Disclosure Vulnerability",
  "FAQs": [
    "<p><strong>What type of information could be disclosed by this vulnerability?</strong></p>\n<p>The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.</p>"
  ],
  "Tag": "Windows Kernel",
  "CNA": "Microsoft",
  "ExploitStatus": "Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely;DOS:N/A",
  "Products": [
    {
      "ProductID": "11923",
      "Name": "Windows Server 2022",
      "Impact": "Information Disclosure",
      "Severity": "Important",
      "ScoreSet": {
        "BaseScore": "5.5",
        "TemporalScore": "4.8",
        "Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C"
      },
      "KBs": [
        {
          "Article": "5016627",
          "RestartRequired": "Yes",
          "SubType": "Security Update",
          "FixedBuild": "10.0.20348.887",
          "ArticleURL": "https://support.microsoft.com/help/5016627",
          "DownloadURL": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5016627"
        }
      ]
    },
    {
      "ProductID": "11931",
      "Name": "Windows 10 Version 21H2 for x64-based Systems",
      "Impact": "Information Disclosure",
      "Severity": "Important",
      "ScoreSet": {
        "BaseScore": "5.5",
        "TemporalScore": "4.8",
        "Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C"
      },
      "KBs": [
        {
          "Article": "5016616",
          "RestartRequired": "Yes",
          "SubType": "Security Update",
          "FixedBuild": "10.0.19044.1889",
          "ArticleURL": "https://support.microsoft.com/help/5016616",
          "DownloadURL": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5016616"
        }
      ]
    },
    ...




  
  

OSを特定する

脆弱性情報に沿ったOS名を特定する必要がある.
そのため, Vulsでは集めた情報からOS名を構成する.

例えば, 以下のsysteminfo.exeの結果でOS名を構成する手順を紹介する.
OS Version: 10.0.19044からMajor.Minor Version: 10.0, Build: 19044ということがわかる.
OS Configuration: Member WorkstationからWindows Serverではないようだ.
Major.Minor Versionが10.0であるWorkstationはWindows 10かWindows 11となる.
また, Build Numberから, Windows 10 Version 21H2まで特定できる.
そして, System Type: x64-based PCを合わせて, Windows 10 Version 21H2 for x64-based Systems という名前を構成できる.

  
  




Host Name:                 DESKTOP
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19044 N/A Build 19044
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                00000-00000-00000-AA000
Original Install Date:     2022/04/13, 12:25:41
System Boot Time:          2022/06/06, 16:43:45
System Manufacturer:       HP
System Model:              HP EliteBook 830 G7 Notebook PC
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 142 Stepping 12 GenuineIntel ~1803 Mhz
BIOS Version:              HP S70 Ver. 01.05.00, 2021/04/26
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume2
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     15,709 MB
Available Physical Memory: 12,347 MB
Virtual Memory: Max Size:  18,141 MB
Virtual Memory: Available: 14,375 MB
Virtual Memory: In Use:    3,766 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              \\DESKTOP
Hotfix(s):                 7 Hotfix(s) Installed.
                           [01]: KB5012117
                           [02]: KB4562830
                           [03]: KB5003791
                           [04]: KB5007401
                           [05]: KB5012599
                           [06]: KB5011651
                           [07]: KB5005699
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) Wi-Fi 6 AX201 160MHz
                                 Connection Name: Wi-Fi
                                 DHCP Enabled:    Yes
                                 DHCP Server:     192.168.0.1
                                 IP address(es)
                                 [01]: 192.168.0.205
Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
                           Virtualization Enabled In Firmware: Yes
                           Second Level Address Translation: Yes
                           Data Execution Prevention Available: Yes




  
  

Vulsでは, 4つのOSを特定する方法を用意している.
registryは他の3つの方法と異なり, Major.Minor.Build.UBRまで分かる.
ただし, registryは記事執筆当時では, リモートスキャンではSSH接続越しに実行することに失敗しているため, ローカルスキャンのみとなっている.

registry(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment) (local scan only)
Get-ComputerInfo
Get-WmiObject Win32_OperatingSystem
systeminfo.exe

インストールされているパッケージを調べる

記事執筆当時のVulsは, インストールされているパッケージを次のようにして調べている.

  
$ Get-Package | Format-List -InputObject $Packages -Property Name, Version, ProviderName
Name         : Microsoft Edge
Version      : 98.0.1108.56
ProviderName : Programs

Name         : Git
Version      : 2.35.1.2
ProviderName : Programs

Name         : Oracle Database 11g Express Edition
Version      : 11.2.0
ProviderName : msi

Name         : 2022-12 x64 ベース システム用 Windows 10 Version 21H2 の累積更新プログラム (KB5021233)
Version      :
ProviderName : msu

インストールされているパッケージの結果から, 記事執筆当時のVulsでは, Microsoft Edgeのみ脆弱性情報を追跡している.
CVRFやBulletinで定義されるプロダクト名とインストールされているパッケージ名が一致するかどうかを確認しなければならないことなど課題がある.

更新プログラムの適用状況を調べる

Windows 10以前の更新プログラムはMonthly RollupとSecurity Onlyの2種類が提供されていました。Windows 10以降は累積更新となっている.

以前, 記事を投稿した際にあるKBからの置き換えをMicrosoft Update Catalogをもとに調べると, 次のようになっていた.

KB Tree

これを vulsio/windows-vuln-feed で提供している置き換え情報の形式で表現すると次のようになる.
1つ途切れると, 最新のKBまで展開出来ないということが起きる.
そのために, vulsio/windows-vuln-feed では機械的に対応できる手法をいくつか実装して, 対応しているが, それでも置き換え情報は途絶えてしまうことがある. そのために, 以下のようなJSONを手動で書いて, 置き換え情報を表現することも出来るようにしている. もし, 置き換え情報の不足に気がついた方はissueやpull requestをください.

  
  




[
    {
        "KBID": "4480056",
        "Supersededby": {
            "KBIDs": [
                "4483452",
                "4499405",
                "4507419",
                "4514601",
                "4524099",
                "4533094",
                "4535101",
                "4538122",
                "4535669",
                ...
            ]
        }
    },
    {
        "KBID": "4483452",
        "Supersededby": {
            "KBIDs": [
                "4499405",
                "4507419",
                "4514601",
                "4524099",
                "4533094",
                "4535101",
                "4538122",
                "4535669",
                ...
            ]
        }
    },
    {
        "KBID": "4499405",
        "Supersededby": {
            "KBIDs": [
                "4507419",
                "4514601",
                "4524099",
                "4533094",
                "4535101",
                "4538122",
                "4535669",
                ...
            ]
        }
    },
    ...
]




  
  

これまでに, 更新プログラムの置き換えがどのように表現されるかを考えました.
未適用な更新プログラムは, 適用済みの更新プログラムから置き換え情報を辿れば, 求めることができそうである.
Vulsでは, 更新プログラムの適用状況を以下の手法で集めている.
記事執筆当時のVulsでは, 3. IUpdateSearcher::Search はSSH越しで動作させることが難しいことからローカルスキャンのみ, 6. systeminfo.exe はサーバモードのみとなっている.

Get-Hotfix
Get-Package -ProviderName msu
IUpdateSearcher::Search⁶ (local scan only)
IUpdateSearcher::QueryHistory⁷
Major.Minor.Build.UBR まで取得できている場合, Vulsで定義済みのOSの累積更新プログラムから検索
systeminfo.exe (server mode only)

OSの脆弱性を検知

OSがWindows 10 Version 21H2で, 適用済みKBがKB5012117, KB4562830, KB5003791, KB5007401, KB5012599, KB5011651, KB5005699ということから, 画像を見るとKB5016616が未適用なKBの一つであることが分かる.

  
Host Name:                 DESKTOP
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19044 N/A Build 19044
OS Configuration:          Member Workstation
System Type:               x64-based PC
Hotfix(s):                 7 Hotfix(s) Installed.
                           [01]: KB5012117
                           [02]: KB4562830
                           [03]: KB5003791
                           [04]: KB5007401
                           [05]: KB5012599
                           [06]: KB5011651
                           [07]: KB5005699

Windows 10 21H2 Release
Reference: https://learn.microsoft.com/en-us/windows/release-health/release-information

CVE-2022-34708はOSがWindows 10 Version 21H2 for x64-based Systemsのとき, KB5016616によって修正されるとあるので, このマシンはCVE-2022-34708が影響すると判断する.

  
  




{
  "CVEID": "CVE-2022-34708",
  "Title": "Windows Kernel Information Disclosure Vulnerability",
  "FAQs": [
    "<p><strong>What type of information could be disclosed by this vulnerability?</strong></p>\n<p>The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.</p>"
  ],
  "Tag": "Windows Kernel",
  "CNA": "Microsoft",
  "ExploitStatus": "Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely;DOS:N/A",
  "Products": [
    {
      "ProductID": "11923",
      "Name": "Windows Server 2022",
      "Impact": "Information Disclosure",
      "Severity": "Important",
      "ScoreSet": {
        "BaseScore": "5.5",
        "TemporalScore": "4.8",
        "Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C"
      },
      "KBs": [
        {
          "Article": "5016627",
          "RestartRequired": "Yes",
          "SubType": "Security Update",
          "FixedBuild": "10.0.20348.887",
          "ArticleURL": "https://support.microsoft.com/help/5016627",
          "DownloadURL": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5016627"
        }
      ]
    },
    {
      "ProductID": "11931",
      "Name": "Windows 10 Version 21H2 for x64-based Systems",
      "Impact": "Information Disclosure",
      "Severity": "Important",
      "ScoreSet": {
        "BaseScore": "5.5",
        "TemporalScore": "4.8",
        "Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C"
      },
      "KBs": [
        {
          "Article": "5016616",
          "RestartRequired": "Yes",
          "SubType": "Security Update",
          "FixedBuild": "10.0.19044.1889",
          "ArticleURL": "https://support.microsoft.com/help/5016616",
          "DownloadURL": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5016616"
        }
      ]
    },
    ...




  
  

Windows 10以前の更新プログラムは2種類で提供していたという説明をしたが, 脆弱性情報でも2つ記述されている.
KB5016681が未適用であっても, KB5016683が適用済みの場合, この脆弱性は修正済みであると判断する.

  
  




{
    "Name": "Windows Server 2012 R2",
    "KBs": [
        {
            "Article": "5016681",
            "RestartRequired": "Yes",
            "SubType": "Monthly Rollup",
            "FixedBuild": "6.3.9600.20520",
            "ArticleURL": "https://support.microsoft.com/help/5016681",
            "DownloadURL": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5016681"
        },
        {
            "Article": "5016683",
            "RestartRequired": "Yes",
            "SubType": "Security Only",
            "FixedBuild": "6.3.9600.20520",
            "ArticleURL": "https://support.microsoft.com/help/5016683",
            "DownloadURL": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5016683"
        }
    ]
}




  
  

また, このようにKBsが定義されていない脆弱性は, 更新プログラムでの修正が提供されていないものか, 更新プログラム以外での対応が必要なものが多い.

  
{
  "ProductID": "11931",
  "Name": "Windows 10 Version 21H2 for x64-based Systems",
  "Impact": "Security Feature Bypass",
  "Severity": "Important",
  "ScoreSet": {
    "BaseScore": "7.4",
    "TemporalScore": "6.4",
    "Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N/E:U/RL:O/RC:C"
  }
}

OS以外のProduct: Microsoft Edgeでの脆弱性検知

Microsoft Edgeの検知を考えてみる.

CVRFでのMicrosoft Edgeに関する脆弱性をいくつか抜粋した.
Get-Packageで取得できるパッケージ名はMicrosoft Edgeであるにも関わらず, CVRF上にはMicrosoft Edge (EdgeHTML-based) on <OS Name>, Microsoft Edge (Chromium-based) in IE Mode on <OS Name>, Microsoft Edge (Chromium-based)の3パターンあり, BulletinSearchにはMicrosoft Edge on <OS Name>で定義されている.
さらに, 修正に関する記述も様々で, CVE-2021-26411は修正したKBID, CVE-2021-41351は修正したKBIDとFixed Version, CVE-2023-24892はFixed Versionのみとなっている.
また, CVE-2021-42308はFAQに96.0.1954.29と書いてあり, Fixed Versionには96.0 1954.29とあるが, Releses Notesを見ると, Fixed Versionは96.0.1054.29のようである.
CVE-2020-16044とCVE-2020-1195に至っては, KBIDもFixed Versionも記述はない. ただし, FAQに書いてある.

記事執筆当時のVulsでは, EdgeのバージョンからEdgeHTML-basedか, Chromium-basedを判断し, 候補となるMicrosoft Edgeのパッケージ名を求め, それらのパッケージ名に関する脆弱性情報を取得して, KBIDがある場合, Fixed Versionがある場合でそれぞれで対応している.

しかし, OS以外のプロダクトでKBを利用しないケースの脆弱性検知は, 脆弱性情報を整備する段階で非常に難しい.

  
  




<vuln:Vulnerability Ordinal="47">
    <vuln:Title>Internet Explorer Memory Corruption Vulnerability</vuln:Title>
    <vuln:Notes>
        <vuln:Note Title="Description" Type="Description" Ordinal="0" />
        <vuln:Note Title="FAQ" Type="FAQ" Ordinal="10">&lt;p&gt;&lt;strong&gt;How could an
            attacker exploit the vulnerability?&lt;/strong&gt;&lt;/p&gt;
            &lt;p&gt;An attacker could host a specially crafted website designed to exploit the
            vulnerability through Internet Explorer and then convince a user to view the
            website. The attacker could also take advantage of compromised websites, or websites
            that accept or host user-provided content or advertisements, by adding specially
            crafted content that could exploit the vulnerability. However, in all cases an
            attacker would have no way to force a user to view the attacker-controlled content.
            Instead, an attacker would have to convince a user to take action, typically by an
            enticement in an email or instant message, or by getting the user to open an
            attachment sent through email.&lt;/p&gt;
</vuln:Note>
    </vuln:Notes>
    <vuln:CVE>CVE-2021-26411</vuln:CVE>
    <vuln:Remediations>
        <vuln:Remediation Type="Vendor Fix">
            <vuln:Description>5000802</vuln:Description>
            <vuln:URL>https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5000802</vuln:URL>
            <vuln:Supercedence>4601319</vuln:Supercedence>
            <vuln:ProductID>10724-11800</vuln:ProductID>
            <!-- <prod:FullProductName ProductID="10724-11800">Microsoft Edge (EdgeHTML-based) on Windows 10 Version 20H2 for x64-based Systems</prod:FullProductName> -->
            <vuln:AffectedFiles />
            <vuln:RestartRequired>Yes</vuln:RestartRequired>
            <vuln:SubType>Security Update</vuln:SubType>
        </vuln:Remediation>
    </vuln:Remediations>
</vuln:Vulnerability>

<vuln:Vulnerability Ordinal="36">
    <vuln:Title>Microsoft Edge (Chrome based) Spoofing on IE Mode</vuln:Title>
    <vuln:Notes>
        <vuln:Note Title="Description" Type="Description" Ordinal="0" />
        <vuln:Note Title="Microsoft Edge (Chromium-based) in IE Mode" Type="Tag" Ordinal="20">Microsoft Edge (Chromium-based) in IE Mode</vuln:Note>
    </vuln:Notes>
    <vuln:CVE>CVE-2021-41351</vuln:CVE>
    <vuln:Remediations>
        <vuln:Remediation Type="Vendor Fix">
            <vuln:Description>5007215</vuln:Description>
            <vuln:URL>https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5007215</vuln:URL>
            <vuln:ProductID>11770-11926</vuln:ProductID>
            <!-- <prod:FullProductName ProductID="11770-11926">Microsoft Edge (Chromium-based) in IE Mode on Windows 11 version 21H2 for x64-based Systems</prod:FullProductName> -->
            <vuln:AffectedFiles />
            <vuln:RestartRequired>Yes</vuln:RestartRequired>
            <vuln:SubType>Security Update</vuln:SubType>
            <vuln:FixedBuild>10.0.22000.318</vuln:FixedBuild>
        </vuln:Remediation>
    </vuln:Remediations>
</vuln:Vulnerability>

<vuln:Vulnerability Ordinal="90">
    <vuln:Title>Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability</vuln:Title>
    <vuln:Notes>
        <vuln:Note Title="Description" Type="Description" Ordinal="0" />
        <vuln:Note Title="FAQ" Type="FAQ" Ordinal="10">&lt;p&gt;&lt;strong&gt;According to the
            CVSS metric, user interaction is required (UI:R). What interaction would the user
            have to do?&lt;/strong&gt;&lt;/p&gt;
            &lt;p&gt;The user would have to click on a specially crafted URL to be compromised
            by the attacker.&lt;/p&gt;
</vuln:Note>
        <vuln:Note Title="FAQ" Type="FAQ" Ordinal="10">&lt;p&gt;&lt;strong&gt;According to the
            CVSS metric, successful exploitation of this vulnerability could lead to some loss
            of integrity (I:L)? What does that mean for this
            vulnerability?&lt;/strong&gt;&lt;/p&gt;
            &lt;p&gt;The attacker is only able to modify the content of the vulnerable link to
            redirect the victim to a malicious site.&lt;/p&gt;
</vuln:Note>
    </vuln:Notes>
    <vuln:CVE>CVE-2023-24892</vuln:CVE>
    <vuln:Remediations>
        <vuln:Remediation Type="Vendor Fix">
            <vuln:Description>Release Notes</vuln:Description>
            <vuln:URL />
            <vuln:ProductID>11655</vuln:ProductID> 
            <!-- <prod:FullProductName ProductID="11655">Microsoft Edge (Chromium-based)</prod:FullProductName> -->
            <vuln:AffectedFiles />
            <vuln:RestartRequired>No</vuln:RestartRequired>
            <vuln:SubType>Security Update</vuln:SubType>
            <vuln:FixedBuild>111.0.1661.41</vuln:FixedBuild>
        </vuln:Remediation>
    </vuln:Remediations>
</vuln:Vulnerability>

<vuln:Vulnerability Ordinal="79">
    <vuln:Title>Microsoft Edge (Chromium-based) Spoofing Vulnerability</vuln:Title>
    <vuln:Notes>
        <vuln:Note Title="Description" Type="Description" Ordinal="0" />
        <vuln:Note Title="FAQ" Type="FAQ" Ordinal="10">&lt;p&gt;&lt;strong&gt;What is the
            version information for this release?&lt;/strong&gt;&lt;/p&gt;
            &lt;table&gt;
            &lt;thead&gt;
            &lt;tr&gt;
            &lt;th&gt;Microsoft Edge Version&lt;/th&gt;
            &lt;th&gt;Date Released&lt;/th&gt;
            &lt;th&gt;Based on Chromium Version&lt;/th&gt;
            &lt;/tr&gt;
            &lt;/thead&gt;
            &lt;tbody&gt;
            &lt;tr&gt;
            &lt;td&gt;96.0.1954.29&lt;/td&gt;
            &lt;td&gt;11/19/2021&lt;/td&gt;
            &lt;td&gt;96.0.4664.45&lt;/td&gt;
            &lt;/tr&gt;
            &lt;/tbody&gt;
            &lt;/table&gt;
</vuln:Note>
    </vuln:Notes>
    <vuln:CVE>CVE-2021-42308</vuln:CVE>
    <vuln:Remediations>
        <vuln:Remediation Type="Vendor Fix">
            <vuln:Description>Release Notes</vuln:Description>
            <vuln:URL />
            <vuln:ProductID>11655</vuln:ProductID>
            <!-- <prod:FullProductName ProductID="11655">Microsoft Edge (Chromium-based)</prod:FullProductName> -->
            <vuln:AffectedFiles />
            <vuln:RestartRequired>No</vuln:RestartRequired>
            <vuln:SubType>Security Update</vuln:SubType>
            <vuln:FixedBuild>96.0 1954.29</vuln:FixedBuild>
        </vuln:Remediation>
    </vuln:Remediations>
</vuln:Vulnerability>

<vuln:Vulnerability Ordinal="0">
    <vuln:Title>Chromium CVE-2020-16044: Use after free in WebRTC</vuln:Title>
    <vuln:Notes>
        <vuln:Note Title="Description" Type="Description" Ordinal="0">&lt;p&gt;This CVE was
            assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which
            addresses this vulnerability. Please see &lt;a
            href="https://chromereleases.googleblog.com/2021"&gt;Google Chrome
            Releases&lt;/a&gt; for more information.&lt;/p&gt;
</vuln:Note>
        <vuln:Note Title="FAQ" Type="FAQ" Ordinal="10">&lt;p&gt;&lt;strong&gt;Why is this Chrome
            CVE included in the Security Update Guide?&lt;/strong&gt;&lt;/p&gt;
            &lt;p&gt;The vulnerability assigned to this CVE is in Chromium Open Source Software
            (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented
            in the Security Update Guide to announce that the latest version of Microsoft Edge
            (Chromium-based) is no longer vulnerable. Please see &lt;a
            href="https://msrc-blog.microsoft.com/2021/01/13/security-update-guide-supports-cves-assigned-by-industry-partners/"&gt;Security
            Update Guide Supports CVEs Assigned by Industry Partners&lt;/a&gt; for more
            information.&lt;/p&gt;
            &lt;p&gt;&lt;strong&gt;How can I see the version of the
            browser?&lt;/strong&gt;&lt;/p&gt;
            &lt;ol&gt;
            &lt;li&gt;In your Microsoft Edge browser, click on the 3 dots (...) on the very
            right-hand side of the window&lt;/li&gt;
            &lt;li&gt;Click on &lt;strong&gt;Help and Feedback&lt;/strong&gt;&lt;/li&gt;
            &lt;li&gt;Click on &lt;strong&gt;About Microsoft Edge&lt;/strong&gt;&lt;/li&gt;
            &lt;/ol&gt;
</vuln:Note>
        <vuln:Note Title="FAQ" Type="FAQ" Ordinal="10">&lt;p&gt;&lt;strong&gt;What is the
            version information for this release?&lt;/strong&gt;&lt;/p&gt;
            &lt;table&gt;
            &lt;thead&gt;
            &lt;tr&gt;
            &lt;th&gt;Microsoft Edge Version&lt;/th&gt;
            &lt;th&gt;Date Released&lt;/th&gt;
            &lt;th&gt;Based on Chromium Version&lt;/th&gt;
            &lt;/tr&gt;
            &lt;/thead&gt;
            &lt;tbody&gt;
            &lt;tr&gt;
            &lt;td&gt;88.0.705.50&lt;/td&gt;
            &lt;td&gt;1/21/2021&lt;/td&gt;
            &lt;td&gt;88.0.4324.96&lt;/td&gt;
            &lt;/tr&gt;
            &lt;/tbody&gt;
            &lt;/table&gt;
</vuln:Note>
    </vuln:Notes>
    <vuln:CVE>CVE-2020-16044</vuln:CVE>
    <vuln:Remediations>
        <vuln:Remediation Type="Vendor Fix">
            <vuln:Description>Release Notes</vuln:Description>
            <vuln:URL />
            <vuln:ProductID>11655</vuln:ProductID>
            <!-- <prod:FullProductName ProductID="11655">Microsoft Edge (Chromium-based)</prod:FullProductName> -->
            <vuln:AffectedFiles />
            <vuln:RestartRequired>No</vuln:RestartRequired>
            <vuln:SubType>Security Update</vuln:SubType>
        </vuln:Remediation>
    </vuln:Remediations>
</vuln:Vulnerability>

<vuln:Vulnerability Ordinal="112">
    <vuln:Title>Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability</vuln:Title>
    <vuln:Notes>
        <vuln:Note Title="Description" Type="Description" Ordinal="0">&lt;p&gt;An elevation of
            privilege vulnerability exists in Microsoft Edge (Chromium-based) when the Feedback
            extension improperly validates input. An attacker who successfully exploited this
            vulnerability could write files to arbitrary locations and gain elevated
            privileges.&lt;/p&gt;
            &lt;p&gt;The vulnerability by itself does not allow arbitrary code to run. However,
            this vulnerability could be used in conjunction with one or more vulnerabilities
            (for example a remote code execution vulnerability and another elevation of
            privilege vulnerability) to take advantage of the elevated privileges when
            running.&lt;/p&gt;
            &lt;p&gt;The security update addresses the vulnerability by modifying how Microsoft
            Edge (Chromium-based) Feedback extension validates files.&lt;/p&gt;
</vuln:Note>
        <vuln:Note Title="FAQ" Type="FAQ" Ordinal="10">&lt;p&gt;&lt;strong&gt;What version of
            Microsoft Edge (Chromium-base) contains the fix for this
            vulnerability?&lt;/strong&gt;&lt;/p&gt;
            &lt;p&gt;The version that contains the update is 83.0.478.37.&lt;/p&gt;
</vuln:Note>
    </vuln:Notes>
    <vuln:CVE>CVE-2020-1195</vuln:CVE>
    <vuln:ProductStatuses>
        <vuln:Status Type="Known Affected">
            <vuln:ProductID>11655</vuln:ProductID>
            <!-- <prod:FullProductName ProductID="11655">Microsoft Edge (Chromium-based)</prod:FullProductName> -->
        </vuln:Status>
    </vuln:ProductStatuses>
    <vuln:Remediations />
</vuln:Vulnerability>




  
  

Windows対応をもっと安定させるために, 皆様へのお願い

まとめ

この記事では, Vuls祭り#7で使用したスライドに沿って, VulsでのWindows対応について解説しました.
Linux/FreeBSDと同じ感覚でWindowsもスキャンできるようになりました.
Windowsのスキャンを安定させるためにも, 皆様からのフィードバックをお待ちしております.

最後に, Microsoft Security Research Centerの方へこの記事が届いたならば, より実用的な脆弱性情報が提供できるように何かお手伝いをさせてください, お願いします.

Windows Vulnerability Scan on OSS Vuls

Analysis of Windows Vulnerability Scan

VulsでのWindows脆弱性検知ステータス

利用している脆弱性情報

脆弱性検知の方針

OSを特定する

インストールされているパッケージを調べる

更新プログラムの適用状況を調べる

OSの脆弱性を検知

OS以外のProduct: Microsoft Edgeでの脆弱性検知

Windows対応をもっと安定させるために, 皆様へのお願い

まとめ

目次

カテゴリー

Windows Vulnerability Scan on OSS Vuls

Analysis of Windows Vulnerability Scan

VulsでのWindows脆弱性検知 ステータス

利用している脆弱性情報

脆弱性検知の方針

OSを特定する

インストールされているパッケージを調べる

更新プログラムの適用状況を調べる

OSの脆弱性を検知

OS以外のProduct: Microsoft Edgeでの脆弱性検知

Windows対応をもっと安定させるために, 皆様へのお願い

まとめ

目次

カテゴリー

VulsでのWindows脆弱性検知ステータス