Microsoft on Tuesday released its first security advisories for vulnerabilities its researchers found in third-party products: two in Google’s Chrome browser and one in Opera. Both have been fixed by the vendors.
The bug release was part of a broader announcement by Microsoft on its Coordinated Vulnerability Disclosure program, which it first announced last July. Under CVD, a security researcher reports security vulnerabilities to the affected vendor, a national CERT or other coordinator that will report the bug privately to the vendor; the researcher gives the vendor a chance to fix the problem or figure out a workaround before any party discloses it.
In addition to the security advisories, Microsoft on Tuesday also released a document that clarifies its approach to CVD as a vendor, vulnerability finder, and coordinator of vulnerabilities that affect multiple vendors, Matt Thomlison, general manager, Trustworthy Computing Security, wrote in a blog post. The company also adopted an internal policy for vulnerability disclosure for employees to follow when finding security flaws in third-party products, he said.
The Microsoft Vulnerability Research program has privately notified third parties of vulnerabilities since it was established in 2008, he said. The advisories illustrate the company’s commitment to handling vulnerability disclosure in a coordinated way, Thomlison said.
“After a product or service is released, we feel security is a shared responsibility across the broad community. Collaboration between security researchers and vendors is ultimately about preventing attacks and protecting the computing ecosystem,” he said. “By working together through coordinated efforts when vulnerabilities are identified, we can effectively minimize customer risk while a solution is developed. We encourage others to adopt this philosophy in the interest of creating a safer and more trusted internet for everyone.”
Marc Maifrett, CTO of eEye Digital Security, said in a prepared statement that while Microsoft should be commended for taking an active role in vulnerability research, it and other technology companies should address larger problems that have led to security researchers to stop working with vendors.
First, he said vulnerability research isn’t easy and now they have a way to be compensated by selling zero-day vulnerabilities to buyers, both of good and bad intentions. Second, researchers are unsatisfied with the time it takes vendors to fix flaws that are reported to them.
“Microsoft, and other technology companies, still fail to set a time line of what the cut off period is for a researcher to wait for Microsoft to create a patch, after which point a researcher should be able to publish their details to help the community without not being vilified by Microsoft or other technology companies as being irresponsible, or uncoordinated as it is now,” Maifrett said.