Microsoft: We'll help other vendors find, fix their bugs
But company stops short of promising to lend Windows Update to others
Computerworld - Microsoft Corp.'s security team will help third-party developers of Windows applications and add-ons find and fix bugs in their software, the company said today.
The program, dubbed Microsoft Vulnerability Research (MSVR), is a formalization of things the company currently does, not a brand-new initiative, said Andrew Cushman, the company's director of security response and outreach, from the Black Hat security conference.
"This is work we're already doing," he said. "We'll report vulnerabilities we find in third-party software, and we'll work with them to identify, resolve and mitigate those vulnerabilities."
Microsoft has, at times, gone public with work it has done in collaboration with other software vendors. One of the most recent examples was in May and June, when Microsoft worked with Apple Inc. on flaws in both its own Internet Explorer browser and Apple's Safari. Then, however, Microsoft took shots at its rival, telling users in one of its security advisories that they should stop using Apple's browser until it was fixed.
Earlier this year, Microsoft helped out Yahoo Inc. by issuing a "kill bit" update through its Windows Update service that disabled a buggy ActiveX control installed by Yahoo on PCs that played tunes purchased from its now-defunct online music store.
According to Cushman, Microsoft's security researchers will report bugs they find during their work to third-party developers, and coordinate their work to make sure that details of those vulnerabilities don't go public before a patch is in place. He also said Microsoft would help those third-party companies in other ways, but he was somewhat vague about the extent of that help.
When asked if Microsoft would enhance its Windows Update service so that it pushed third-party updates to Windows users, for example, he hesitated for several seconds before answering: "That's a hard question. We're always looking to provide the best experience for our customers, so we'll examine all aspects, including vulnerability identification, other mitigations and as a final link, detection and deployment.
"But I can't say we would use Windows Update."
Microsoft won't issue security advisories for third-party software as it does for its own programs, said Cushman. Instead, according to a follow-up fact sheet that the company's public relations firm provided, outside vendors will be given "the necessary information and assistance to develop an update to address the vulnerability."
Cushman said the move was in Microsoft's own interests, but he also argued that it would be a win for everyone. "Some may question [our motives], but this is for the good of customers and the enterprise, and it will help protect their environment of Microsoft [software] and other software as well.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts