Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/22/2010
11:33 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft Launches 'Coordinated' Vulnerability Disclosure Program

Microsoft abandons controversial 'responsible disclosure' term, supporting public disclosure of unpatched bug details when attacks hit

Microsoft today revealed a new, modified approach to how it works with security researchers and handles vulnerability disclosures, including working with researchers to publicly release vulnerability details of a zero-day flaw when attacks are under way.

In an interview with Dark Reading, Mike Reavey, director of Microsoft Security Response Center, said Microsoft is now promoting "coordinated vulnerability disclosure" (CVD) and moving toward working more closely with researchers in coordinating the release of details on new, unpatched bugs. Reavey says the term "responsible disclosure" had become too emotionally charged and it was time for a shift in philosophy.

"This is not a drastic departure from what we're already doing, but we think it's important," Reavey says. "The two changes here are talking about how responsibility extends beyond disclosure -- where [researchers and vendors] are working together to minimize the risk [to users]," he says. "And if there attacks in the wild, we are working to coordinate [disclosure] even if a fix isn't ready."

Reavey says Microsoft's shift in philosophy came, in part, out of feedback it has received from the security community over the emotionally charged term "responsible disclosure."

"It makes sense to talk about vulnerability disclosure for what it really is and what works. So we're making a call to shift the way we talk about it ... to coordinated vulnerability disclosure," says Reavey, who posted a blog with this announcement.

If active attacks are exploiting an unpatched flaw, he says, then it makes sense to alert users about the bug. "We're making sure that we can coordinate the release of vulnerability details with a fix that's broadly available for all customers," Reavey says. "In an active attack, it's OK to release vulnerability details. This is a clear call to action for customers to know what to do. We did that recently with the Help Center issue and with the Shortcut files issue [in Windows]."

But Microsoft hasn't changed its stance against full disclosure, where a bug finder releases details of a flaw without the vendor getting a shot at patching it first. Reavey says Microsoft is, however, willing to work with researchers who go that route to work on a fix for the flaws they reveal publicly. "If someone has the mindset that they want to disclose fully [a vulnerability], we disagree because it's not best way to protect customers. But we still work with them," he says.

The software giant has been under pressure from security researchers who disagree with what had been Microsoft's traditional stance on responsible disclosure, where a bug finder hands over the discovery to the affected vendor, which then handles the fixes on its own timetable. A series of recent zero-day disclosures, including one from Google researcher Tavis Ormandy and then from a group of hackers calling themselves "Microsoft-Spurned Researcher Collective," brought the issue to fore: Microsoft took issue with Ormandy's handling of the disclosure, in which he reported the bug to Microsoft on June 5 and then went public with it four days later -- before the vendor was able to fix it.

Meanwhile, late yesterday Ormandy and other Google researchers issued a plea for speeding up vendors' patch turnaround times. "Whilst every bug is unique, we would suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software. This time scale is only meant to apply to critical issues," they blogged.

The Googlers contend it can be "irresponsible" for a flaw to remain unfixed over a long period of time -- sometimes years. The researchers for the search engine giant say from now on, they will set a disclosure deadline on any serious bug they report, and if the vendor doesn't fix it within that time frame, then they will publish an analysis of the bug as well as any workarounds. Researchers will also be able to set "an aggressive disclosure deadline where evidence exists that blackhats already have knowledge of a given bug," they said. "We would invite other researchers to join us in using the proposed disclosure deadlines to drive faster security response efforts."

Setting patch deadlines is something Microsoft doesn't support. Microsoft contends that patching is a delicate balance between quality and timeliness; it goes through an involved testing process before issuing a patch.

"The real reason we don't have a set deadline for fixing security issues is that there's not a one-size-fits-all for Microsoft or the industry," Reavey said in the interview. "We want to make sure when we put out an update for customers, it works."

And some patches take longer to fix than others due to the complexity of the flaw and how it could affect other software products, he says. "The ATL [Active Template Libraries] vulnerability took over a year to get fixed. It was a vulnerability that affected 89 Microsoft products and 37 third-party, non-Microsoft products," Reavey says. "The vulnerability itself was fairly straightforward, but when it involves multiple products, it took some time to get that out and fixed."

Meanwhile, the vulnerability reporting process to Microsoft basically stays the same with CVD, according to Reavey, including assigning a Microsoft security representative to work with the researcher throughout the life cycle of the bug and patching, for example.

The reality is no one party can tackle bugs and exploits by the bad guys, Reavey says. "With this complex landscape we have with cybercrime, no one vendor or person can solve this problem by themselves. The responsibility is to coordinate and get together as a community," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9024
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by crond) and /root/loadperl.sh (executed as root at boot time) scripts.
CVE-2020-9025
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.4.2 devices have multiple stored XSS issues in all parameters of the Start Data Viewer feature of the /cgi-bin/loaddata.py script.
CVE-2020-9026
PUBLISHED: 2020-02-17
ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected.
CVE-2020-9027
PUBLISHED: 2020-02-17
ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the TRACE field of the resource ping.cmd. The NTP-2 device is also affected.
CVE-2020-9028
PUBLISHED: 2020-02-17
Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow stored XSS via the newUserName parameter on the "User Creation, Deletion and Password Maintenance" screen (when creating a new user).