Microsoft kicks off third-party bug warnings with two for Chrome

Computerworld - Microsoft today released a pair of security advisories for Chrome, the browser built by rival Google.

One of the advisories also called out a vulnerability in Opera.

The change is part of an expansion of the vulnerability disclosure policy Microsoft launched last summer, said Mike Reavey, the director of the Microsoft Security Response Center (MSRC).

The bugs were discovered by Microsoft researchers, and reported to the security teams responsible for Chrome and Opera. Google patched the two Chrome vulnerabilities last September and December; Opera fixed its browser flaw in October 2010.

The advisories were the first ever from Microsoft for bugs in third-party products. According to Reavey, they will be followed by others, as necessary. "If we're in a situation where we find a vulnerability in some other vendor's product, we will release an advisory ourselves," said Reavey.

At times, those advisories will appear before the affected vendor has a patch ready for users, Reavey acknowledged. "If there's an attack [ongoing], we'll release an advisory, most of the time with workarounds and mitigations, but we will continue to coordinate when we do so," he said.

In no instance will Microsoft issue an advisory on someone else's software without first contacting and coordinating work with the other vendor, Reavey stressed.

Microsoft follows the same practice for flaws its researchers find in the company's own software, pointed out Andrew Storms, director of security operations for nCircle Security.

Storms applauded the move, largely because of his high opinion on the advisories the company produces for its own code. Microsoft's advisories are much more thorough than those from most rivals, he said, and more easily digestible.

This isn't a sudden shift, said Storms. "Back in 2008 at [the] Black Hat [security conference], Microsoft said they were interested in finding vulnerabilities in the entire Windows ecosystem. It took them three years to get it going," he said.

Microsoft kicked off its Microsoft Vulnerability Research (MSVR) program in August 2008, saying then that its security researchers would report bugs they found to third-party developers, and coordinate with those vendors to make sure details did not go public before a patch was in place.

At the time, however, Microsoft said it would not issue security advisories for third-party software.

Today's advisories were part of a larger announcement by Microsoft that made public details of its bug policy, which it dubbed "coordinated vulnerability disclosure," or CVD, almost nine months ago.

Last July, Microsoft said it would drop the term "responsible disclosure" used to describe the back-and-forth between bug finders and vendors, and instead use the new moniker CVD. At the time, Microsoft admitted the move was primarily a name change designed to eliminate what it said was the "emotional" context of the older term.

Microsoft published the policy today -- something it had not done last year -- and asked that others in the security community "embrace the purpose of this shift, which is ultimately about minimizing customer risk, not amplifying it."

Today's advisories are a demonstration of that policy in action, said Reavey, who also acknowledged that future advisories will address complaints that critics had aired about CVD.

"One thing we hear from 'full disclosure' [proponents' is that customers can be put at risk with CVD," he said, talking about the opposing philosophy by some researchers, who believe in making vulnerabilities public to push vendors' patching pace. Advisories that Microsoft issues down the road about bugs that lack a patch are an attempt to answer those critics.

Microsoft also made public a policy that's been in place since November 2010 that requires all employees to follow the CVD guidelines, and report bugs in third-party products to the MSVR program. The new rules for internal researchers applies whether they found the flaws on company time, or their own, said Reavey.

When asked whether Microsoft expects others to follow its lead -- some Google security engineers, for instance, have released information about Windows bugs before Microsoft had patches ready -- Reavey didn't answer directly.

"In general, this is the shift we would like to see the industry move toward," he said.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

Read more about Security in Computerworld's Security Topic Center.