Sharing unexpected inventory issue - Edge Version reporting wrong string

easyedc
Valued Contributor II

Yesterday a CVE was released indicating a high-risk vulnerability within most browsers - CVE-2023-4863. During my creating a report to check to make sure my Edge versions were getting patched (needed to filter out active workstations which Patch Management can't do) I discovered that Jamf inventory reporting is reporting the wrong version string. 

 

In tracking the Microsoft Edge version, Jamf inventory is pulling the edge version from CFBundleVersion while Patch Management and the app itself displays from CFBundleShortVersionString, affecting the ability to make effective smart groups to track patching. I've submitted a ticket to Jamf and it's been sent as a FR or a PI, but if you needed to follow along on your own compliance, be aware that your smart group won't ever populate correctly until it's corrected. 

 

Also here's a quick EA to create correct smart groups if you needed it.

#!/bin/sh

#  Edge version - CFBundleShortVersionString.sh
#
#  Created by Ed C on 9/28/23.
#  
###############
# Script to get the CFBundleShortVersionString from the Microsoft Edge info.plist file
###############

EdgeVer=$(/usr/bin/defaults read /Applications/Microsoft\ Edge.app/Contents/Info.plist CFBundleShortVersionString || echo "Microsoft Edge not installed")

echo "<result>$EdgeVer</result>"
exit 0

 

3 REPLIES 3

efil4xiN
Contributor II

maybe a cloud vs onsite thing? We are getting the proper reporting for both Chrome and Edge. Did you try  " the Refresh (un-monitoring, the rechecking the box?). CVE applies to  pre 117.x.x version. The bigger concern is the list of apps that use electron.

CVE-2023-4863 

easyedc
Valued Contributor II

Oh I didn't think about it being a cloud/on-prem difference. Jamf updated my case and confirmed what I suspected. FWIW I'm Cloud. 

I have confirmed this with our specialists and it seems that it normally Jamf reports CFBundleShortVersionString, however for Microsoft application, the version reported is based on CFBundleVersion. We have reported this and we hope to have our Engineering team investigate as soon as possible to modify this


Agree about that list of affected applications the CVE covers.  It's a not-small list of popular apps - LibWebP, the New Log4j.

@easyedc  someone on staff just  found this about this. you are correct. Both Versions are noted at macadmins software for the same item, but not sure on why vendors chose the options they did, thanks for pointing it out my friend