ADR rules for 0-Day browser updates

iamr00t · August 29, 2024, 05:05:44 PM

I've been trying to find a good set of parameters to use for catching Chrome, Edge Chromium, and Firefox updates, but I have noticed that they never seem to be listed with severity "Critical" despite being declared a 0-day eventually. That might be the way updates are classified and do not change, perhaps? So far, I have looked at this criteria:
Severity is "Important"
Description contains "CVE-2024" (which works for Edge Chromium and Mozilla Firefox) and "High CVE-2024" (which works for Google Chrome).

I am mainly curious if there is anything which differentiates an update as 0-Day (which by my perspective should be upgraded to "Critical."

Any help would be appreciated.
SS

Omar (Patch My PC) · August 30, 2024, 05:57:57 AM

Neither Google nor Microsoft stated that any of these CVEs are Critical! Google marked the highest ones as Important/High only! So did we. I wonder why they didn't mark the 0-day ones as Critical though! Chrome Releases: Stable Channel Update for Desktop (googleblog.com)

iamr00t · August 30, 2024, 08:15:53 AM

A curious point. It does seem that they should elevate the rating on their releases when they flip to 0-day. Does the text in the description for each product always come from the release notes? I would assume so. It probably explains how the text is always so different (Chrome never mentions High for their CVEs). I know PmPC is only going by what the developers release. Thanks for your help!

ADR rules for 0-Day browser updates

iamr00t

Omar (Patch My PC)

iamr00t