Microsoft kicks off third-party bug warnings with two for Chrome

Google patched the bugs in September and December 2010

Microsoft today released a pair of security advisories for Chrome, the browser built by rival Google.

One of the advisories also called out a vulnerability in Opera.

The change is part of an expansion of the vulnerability disclosure policy Microsoft launched last summer, said Mike Reavey, the director of the Microsoft Security Response Center (MSRC).

The bugs were discovered by Microsoft researchers, and reported to the security teams responsible for Chrome and Opera. Google patched the two Chrome vulnerabilities last September and December; Opera fixed its browser flaw in October 2010.

The advisories were the first ever from Microsoft for bugs in third-party products. According to Reavey, they will be followed by others, as necessary. "If we're in a situation where we find a vulnerability in some other vendor's product, we will release an advisory ourselves," said Reavey.

At times, those advisories will appear before the affected vendor has a patch ready for users, Reavey acknowledged. "If there's an attack [ongoing], we'll release an advisory, most of the time with workarounds and mitigations, but we will continue to coordinate when we do so," he said.

In no instance will Microsoft issue an advisory on someone else's software without first contacting and coordinating work with the other vendor, Reavey stressed.

Microsoft follows the same practice for flaws its researchers find in the company's own software, pointed out Andrew Storms, director of security operations for nCircle Security.

Storms applauded the move, largely because of his high opinion on the advisories the company produces for its own code. Microsoft's advisories are much more thorough than those from most rivals, he said, and more easily digestible.

This isn't a sudden shift, said Storms. "Back in 2008 at [the] Black Hat [security conference], Microsoft said they were interested in finding vulnerabilities in the entire Windows ecosystem. It took them three years to get it going," he said.

Microsoft kicked off its Microsoft Vulnerability Research (MSVR) program in August 2008, saying then that its security researchers would report bugs they found to third-party developers, and coordinate with those vendors to make sure details did not go public before a patch was in place.

At the time, however, Microsoft said it would not issue security advisories for third-party software.

Today's advisories were part of a larger announcement by Microsoft that made public details of its bug policy, which it dubbed "coordinated vulnerability disclosure," or CVD, almost nine months ago.

Last July, Microsoft said it would drop the term "responsible disclosure" used to describe the back-and-forth between bug finders and vendors, and instead use the new moniker CVD. At the time, Microsoft admitted the move was primarily a name change designed to eliminate what it said was the "emotional" context of the older term.

Microsoft published the policy today -- something it had not done last year -- and asked that others in the security community "embrace the purpose of this shift, which is ultimately about minimizing customer risk, not amplifying it."

Today's advisories are a demonstration of that policy in action, said Reavey, who also acknowledged that future advisories will address complaints that critics had aired about CVD.

"One thing we hear from 'full disclosure' [proponents' is that customers can be put at risk with CVD," he said, talking about the opposing philosophy by some researchers, who believe in making vulnerabilities public to push vendors' patching pace. Advisories that Microsoft issues down the road about bugs that lack a patch are an attempt to answer those critics.

Microsoft also made public a policy that's been in place since November 2010 that requires all employees to follow the CVD guidelines, and report bugs in third-party products to the MSVR program. The new rules for internal researchers applies whether they found the flaws on company time, or their own, said Reavey.

When asked whether Microsoft expects others to follow its lead -- some Google security engineers, for instance, have released information about Windows bugs before Microsoft had patches ready -- Reavey didn't answer directly.

"In general, this is the shift we would like to see the industry move toward," he said.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is gkeizer@computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags applicationsGoogleMicrosoftsecurityWindowsbrowserssoftwareMalware and Vulnerabilitiesoperating systems

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?