I noticed one of the vulberabilities in the Vulnerabilities for Windows site that is titled: "Unspecified vulnerability in the PRC component in Adobe Reader and Acrobat 9.x before 9.4.7 on Windows, Adobe Reader and Acrobat 9.x through 9.4.6 on Mac OS X, Adobe Reader and Acrobat 10.x through 10.1.1 on Windows and Mac OS X, and Adobe Reader 9.x through 9.4.6 on UNIX allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unknown vectors, as exploited in the wild in December 2011."
. . . is possibly broken. I have systems with Adobe Acrobat and Reader with 10.1.4 only (no other versions installed) and it's showing them as vulnerable in fact every single system that has Adobe Acrobat or Reader installed is showing as vulnerabile regardless of the version. That tells me something is messed up in the Relevance since this should only be Relevant for 9.x through 10.1.1 on my Windows systems, not 10.1.4
Here's the full info:
Site Vulnerabilities to Windows Systems
CVE ID CVE-2011-4369
Download Size <no download>
Source ID OVAL14865
Source Severity High
Source Release Date 1/30/2012
This topic has been locked.
Pinned topic Broken Vulnerability Fixlet- Unspecified Vulnerability in the PRC compnent
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Eric Walker 270004GTCX34 Posts
Re: Broken Vulnerability Fixlet- Unspecified Vulnerability in the PRC compnent2012-11-13T16:56:25ZThis is the accepted answer. This is the accepted answer.Hi @jfschafer -- we will look into this. We build our vulnerability content from a feed provided by MITRE, and when there are issues, sometimes it is because we are interpreting the feed incorrectly, and sometimes it is because the source XML is broken. We'll try to see which of these is going on here.
SystemAdmin 110000D4XK119 Posts
Re: Broken Vulnerability Fixlet- Unspecified Vulnerability in the PRC compnent2012-11-13T20:24:35ZThis is the accepted answer. This is the accepted answer.Looking at the definition itself (found at http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:14865 ), the definition naively checks for the range of 10.0 to 10.1 (inclusive), so in your situation, it would always be true. We publish the content as is, and this is a content bug.