News Stay informed about the latest enterprise technology news and product updates.

Microsoft releases first third-party security advisories

Microsoft on Tuesday released its first security advisories for vulnerabilities its researchers found in third-party products: two in Google’s Chrome browser and one in Opera. Both have been fixed by the vendors.

The bug release was part of a broader announcement by Microsoft on its Coordinated Vulnerability Disclosure program, which it first announced last July. Under CVD, a security researcher reports security vulnerabilities to the affected vendor, a national CERT or other coordinator that will report the bug privately to the vendor; the researcher gives the vendor a chance to fix the problem or figure out a workaround before any party discloses it.

In addition to the security advisories, Microsoft on Tuesday also released a document that clarifies its approach to CVD as a vendor, vulnerability finder, and coordinator of vulnerabilities that affect multiple vendors, Matt Thomlison, general manager, Trustworthy Computing Security, wrote in a blog post.  The company also adopted an internal policy for vulnerability disclosure for employees to follow when finding security flaws in third-party products, he said.

The Microsoft Vulnerability Research program has privately notified third parties of vulnerabilities since it was established in 2008, he said. The advisories illustrate the company’s commitment to handling vulnerability disclosure in a coordinated way, Thomlison said.

“After a product or service is released, we feel security is a shared responsibility across the broad community. Collaboration between security researchers and vendors is ultimately about preventing attacks and protecting the computing ecosystem,” he said.  “By working together through coordinated efforts when vulnerabilities are identified, we can effectively minimize customer risk while a solution is developed.   We encourage others to adopt this philosophy in the interest of creating a safer and more trusted internet for everyone.”

Marc Maifrett, CTO of eEye Digital Security, said in a prepared statement that while Microsoft should be commended for taking an active role in vulnerability research, it and other technology companies should address larger problems that have led to security researchers to stop working with vendors.

First, he said vulnerability research isn’t easy and now they have a way to be compensated by selling zero-day vulnerabilities to buyers, both of good and bad intentions. Second, researchers are unsatisfied with the time it takes vendors to fix flaws that are reported to them.

“Microsoft, and other technology companies, still fail to set a time line of what the cut off period is for a researcher to wait for Microsoft to create a patch, after which point a researcher should be able to publish their details to help the community without not being vilified by Microsoft or other technology companies as being irresponsible, or uncoordinated as it is now,” Maifrett said.

Join the conversation

2 comments

Send me notifications when other members comment.

Please create a username to comment.

How is your company customer-focused?
Cancel
A patent-pending QR technology that addresses the issue of brand engagement, along with database collection and Facebook integration, is http://GrapevineQR.com

This application is an impressive milestone in the world of QR marketing, which unites companies and clients.

You can oversee your deals or promotions, get crucial data and receive live analytics (to measure the efficacy of your efforts) and direct 'Likes' to your Facebook page -- allowing customers to further the news with their friends about a promotion they scanned and posted on their Facebook wall. Just one scan by any of those friends can result in a viral marketing campaign that draws the attention of consumers around the globe. This new chapter in digital marketing is impressive, real and a valuable source for outreach.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close