Microsoft kicks off third-party bug warnings with two for Chrome
Google patched the bugs in September and December 2010
Computerworld - Microsoft today released a pair of security advisories for Chrome, the browser built by rival Google.
One of the advisories also called out a vulnerability in Opera.
The change is part of an expansion of the vulnerability disclosure policy Microsoft launched last summer, said Mike Reavey, the director of the Microsoft Security Response Center (MSRC).
The bugs were discovered by Microsoft researchers, and reported to the security teams responsible for Chrome and Opera. Google patched the two Chrome vulnerabilities last September and December; Opera fixed its browser flaw in October 2010.
The advisories were the first ever from Microsoft for bugs in third-party products. According to Reavey, they will be followed by others, as necessary. "If we're in a situation where we find a vulnerability in some other vendor's product, we will release an advisory ourselves," said Reavey.
At times, those advisories will appear before the affected vendor has a patch ready for users, Reavey acknowledged. "If there's an attack [ongoing], we'll release an advisory, most of the time with workarounds and mitigations, but we will continue to coordinate when we do so," he said.
In no instance will Microsoft issue an advisory on someone else's software without first contacting and coordinating work with the other vendor, Reavey stressed.
Microsoft follows the same practice for flaws its researchers find in the company's own software, pointed out Andrew Storms, director of security operations for nCircle Security.
Storms applauded the move, largely because of his high opinion on the advisories the company produces for its own code. Microsoft's advisories are much more thorough than those from most rivals, he said, and more easily digestible.
This isn't a sudden shift, said Storms. "Back in 2008 at [the] Black Hat [security conference], Microsoft said they were interested in finding vulnerabilities in the entire Windows ecosystem. It took them three years to get it going," he said.
Microsoft kicked off its Microsoft Vulnerability Research (MSVR) program in August 2008, saying then that its security researchers would report bugs they found to third-party developers, and coordinate with those vendors to make sure details did not go public before a patch was in place.
At the time, however, Microsoft said it would not issue security advisories for third-party software.
Today's advisories were part of a larger announcement by Microsoft that made public details of its bug policy, which it dubbed "coordinated vulnerability disclosure," or CVD, almost nine months ago.
Last July, Microsoft said it would drop the term "responsible disclosure" used to describe the back-and-forth between bug finders and vendors, and instead use the new moniker CVD. At the time, Microsoft admitted the move was primarily a name change designed to eliminate what it said was the "emotional" context of the older term.
Microsoft published the policy today -- something it had not done last year -- and asked that others in the security community "embrace the purpose of this shift, which is ultimately about minimizing customer risk, not amplifying it."
Today's advisories are a demonstration of that policy in action, said Reavey, who also acknowledged that future advisories will address complaints that critics had aired about CVD.
"One thing we hear from 'full disclosure' [proponents' is that customers can be put at risk with CVD," he said, talking about the opposing philosophy by some researchers, who believe in making vulnerabilities public to push vendors' patching pace. Advisories that Microsoft issues down the road about bugs that lack a patch are an attempt to answer those critics.
Microsoft also made public a policy that's been in place since November 2010 that requires all employees to follow the CVD guidelines, and report bugs in third-party products to the MSVR program. The new rules for internal researchers applies whether they found the flaws on company time, or their own, said Reavey.
When asked whether Microsoft expects others to follow its lead -- some Google security engineers, for instance, have released information about Windows bugs before Microsoft had patches ready -- Reavey didn't answer directly.
"In general, this is the shift we would like to see the industry move toward," he said.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- Live Webcast How to serve up a Grand Slam with a scalable IT Infrastructure for cloud, big data and advanced analytics Register today to attend this webcast, and see examples of how The U.S. Tennis Association, Wimbledon and U.S. Golf Association are using the...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Live Webcast IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.