Microsoft to work with others on bug reports
Software giant details how its researchers will handle vulnerability reports affecting software from other companies and says it will coordinate multi-vendor reporting.
Microsoft is taking on more responsibility when it comes to vulnerabilities that affect multiple software makers.
The company announced today that it will serve as vulnerability coordinator when one of its employees discovers a security issue that affects software from other companies or when an outside researcher reports a problem to the Microsoft Security Response Center (MSRC).
The news comes on the heels of a report that concludes that software in general is fundamentally flawed. Of more than 4,800 applications analyzed by Veracode via its application security testing platform, 58 percent of all software applications failed to meet acceptable levels of security quality upon initial submission, according to Veracode's State of Software Security Report. One of the worst performers was security software, with 72 percent of such applications tested failing to meet acceptable security levels.
Microsoft detailed its disclosure policy in a document titled "Coordinated Vulnerability Disclosure at Microsoft," which also explains how its researchers--either in work for the company or on their own--will be expected to handle matters when they discover holes in other software makers' products. And the company issued advisories for flaws that Microsoft researchers found in Chrome and Chrome and Opera. The problems were fixed.
In all cases, Microsoft said it will contact the software maker whose application is affected and coordinate public disclosure with the company so that a fix is ready before the public is informed of the problem via an MSRC advisory. The only exceptions are when the software maker fails to respond, the technical details of the vulnerability are publicly available, or there is evidence of unpatched holes being exploited in attacks in the wild.
Coordinated disclosure contrasts with full disclosure, in which researchers reveal technical details of the vulnerability without waiting for a vendor to have a fix available. Researchers complain that vendors drag their feet on fixing holes, otherwise.
Microsoft disagrees. "In general, most folks in the industry feel that working in a coordinated way helps reduce risk for the customers," Mike Reavey, director of MSRC, told CNET.
HD Moore, chief security Officer at Rapid7 and chief architect of Metasploit, said he would like to see Microsoft provide a time frame for releasing fixes.
"They're not really holding themselves to any new standard for turnaround time," he said. "It's nice to see Microsoft realizing that they are not just a large company, but part of an ecosystem and it makes sense for them to be able to coordinate vulnerabilities."
"The next step would be for Microsoft to be a little more descriptive and provide more accountability on how they are going to respond to researchers," said Jake Kouns, chief executive of the Open Security Foundation. "It's frustrating for researchers when a fix is in negotiations for a fair amount of time for a coordinated response."
However, it's not always feasible to rush a fix out, Kouns said. "Some researchers want a company to fix the problem tomorrow but that's not realistic. They could fix the problem but break tons of functionality."
"Microsoft does not believe in enforcing an arbitrary deadline of our choosing on other vendors. Doing so does not help minimize risk to customers," Reavey said. "Responding to security vulnerabilities can be a complex, extensive, and time-consuming process."
Updated April 20 9:09 a.m. PT to include that Chrome and Opera issues were resolved.