Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Microsoft kicks off third-party bug warnings with two for Chrome

Gregg Keizer, Computerworld | May 19, 2011
Microsoft today released a pair of security advisories for Chrome, the browser built by rival Google -- part of an expansion of the vulnerability disclosure policy Microsoft launched last summer.

Microsoft today released a pair of security advisories for Chrome, the browser built by rival Google.

One of the advisories also called out a vulnerability in Opera.

The change is part of an expansion of the vulnerability disclosure policy Microsoft launched last summer, said Mike Reavey, the director of the Microsoft Security Response Center (MSRC).

The bugs were discovered by Microsoft researchers, and reported to the security teams responsible for Chrome and Opera. Google patched the two Chrome vulnerabilities last September and December; Opera fixed its browser flaw in October 2010.

The advisories were the first ever from Microsoft for bugs in third-party products. According to Reavey, they will be followed by others, as necessary. "If we're in a situation where we find a vulnerability in some other vendor's product, we will release an advisory ourselves," said Reavey.

At times, those advisories will appear before the affected vendor has a patch ready for users, Reavey acknowledged. "If there's an attack [ongoing], we'll release an advisory, most of the time with workarounds and mitigations, but we will continue to coordinate when we do so," he said.

In no instance will Microsoft issue an advisory on someone else's software without first contacting and coordinating work with the other vendor, Reavey stressed.

Microsoft follows the same practice for flaws its researchers find in the company's own software, pointed out Andrew Storms, director of security operations for nCircle Security.

Storms applauded the move, largely because of his high opinion on the advisories the company produces for its own code. Microsoft's advisories are much more thorough than those from most rivals, he said, and more easily digestible.

This isn't a sudden shift, said Storms. "Back in 2008 at [the] Black Hat [security conference], Microsoft said they were interested in finding vulnerabilities in the entire Windows ecosystem. It took them three years to get it going," he said.

Microsoft kicked off its Microsoft Vulnerability Research (MSVR) program in August 2008, saying then that its security researchers would report bugs they found to third-party developers, and coordinate with those vendors to make sure details did not go public before a patch was in place.

At the time, however, Microsoft said it would not issue security advisories for third-party software.

Today's advisories were part of a larger announcement by Microsoft that made public details of its bug policy, which it dubbed "coordinated vulnerability disclosure," or CVD, almost nine months ago.

Last July, Microsoft said it would drop the term "responsible disclosure" used to describe the back-and-forth between bug finders and vendors, and instead use the new moniker CVD. At the time, Microsoft admitted the move was primarily a name change designed to eliminate what it said was the "emotional" context of the older term.

 

1  2  Next Page 

Sign up for Computerworld eNewsletters.