Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:33 AM
Connect Directly

Microsoft Launches 'Coordinated' Vulnerability Disclosure Program

Microsoft abandons controversial 'responsible disclosure' term, supporting public disclosure of unpatched bug details when attacks hit

Microsoft today revealed a new, modified approach to how it works with security researchers and handles vulnerability disclosures, including working with researchers to publicly release vulnerability details of a zero-day flaw when attacks are under way.

In an interview with Dark Reading, Mike Reavey, director of Microsoft Security Response Center, said Microsoft is now promoting "coordinated vulnerability disclosure" (CVD) and moving toward working more closely with researchers in coordinating the release of details on new, unpatched bugs. Reavey says the term "responsible disclosure" had become too emotionally charged and it was time for a shift in philosophy.

"This is not a drastic departure from what we're already doing, but we think it's important," Reavey says. "The two changes here are talking about how responsibility extends beyond disclosure -- where [researchers and vendors] are working together to minimize the risk [to users]," he says. "And if there attacks in the wild, we are working to coordinate [disclosure] even if a fix isn't ready."

Reavey says Microsoft's shift in philosophy came, in part, out of feedback it has received from the security community over the emotionally charged term "responsible disclosure."

"It makes sense to talk about vulnerability disclosure for what it really is and what works. So we're making a call to shift the way we talk about it ... to coordinated vulnerability disclosure," says Reavey, who posted a blog with this announcement.

If active attacks are exploiting an unpatched flaw, he says, then it makes sense to alert users about the bug. "We're making sure that we can coordinate the release of vulnerability details with a fix that's broadly available for all customers," Reavey says. "In an active attack, it's OK to release vulnerability details. This is a clear call to action for customers to know what to do. We did that recently with the Help Center issue and with the Shortcut files issue [in Windows]."

But Microsoft hasn't changed its stance against full disclosure, where a bug finder releases details of a flaw without the vendor getting a shot at patching it first. Reavey says Microsoft is, however, willing to work with researchers who go that route to work on a fix for the flaws they reveal publicly. "If someone has the mindset that they want to disclose fully [a vulnerability], we disagree because it's not best way to protect customers. But we still work with them," he says.

The software giant has been under pressure from security researchers who disagree with what had been Microsoft's traditional stance on responsible disclosure, where a bug finder hands over the discovery to the affected vendor, which then handles the fixes on its own timetable. A series of recent zero-day disclosures, including one from Google researcher Tavis Ormandy and then from a group of hackers calling themselves "Microsoft-Spurned Researcher Collective," brought the issue to fore: Microsoft took issue with Ormandy's handling of the disclosure, in which he reported the bug to Microsoft on June 5 and then went public with it four days later -- before the vendor was able to fix it.

Meanwhile, late yesterday Ormandy and other Google researchers issued a plea for speeding up vendors' patch turnaround times. "Whilst every bug is unique, we would suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software. This time scale is only meant to apply to critical issues," they blogged.

The Googlers contend it can be "irresponsible" for a flaw to remain unfixed over a long period of time -- sometimes years. The researchers for the search engine giant say from now on, they will set a disclosure deadline on any serious bug they report, and if the vendor doesn't fix it within that time frame, then they will publish an analysis of the bug as well as any workarounds. Researchers will also be able to set "an aggressive disclosure deadline where evidence exists that blackhats already have knowledge of a given bug," they said. "We would invite other researchers to join us in using the proposed disclosure deadlines to drive faster security response efforts."

Setting patch deadlines is something Microsoft doesn't support. Microsoft contends that patching is a delicate balance between quality and timeliness; it goes through an involved testing process before issuing a patch.

"The real reason we don't have a set deadline for fixing security issues is that there's not a one-size-fits-all for Microsoft or the industry," Reavey said in the interview. "We want to make sure when we put out an update for customers, it works."

And some patches take longer to fix than others due to the complexity of the flaw and how it could affect other software products, he says. "The ATL [Active Template Libraries] vulnerability took over a year to get fixed. It was a vulnerability that affected 89 Microsoft products and 37 third-party, non-Microsoft products," Reavey says. "The vulnerability itself was fairly straightforward, but when it involves multiple products, it took some time to get that out and fixed."

Meanwhile, the vulnerability reporting process to Microsoft basically stays the same with CVD, according to Reavey, including assigning a Microsoft security representative to work with the researcher throughout the life cycle of the bug and patching, for example.

The reality is no one party can tackle bugs and exploits by the bad guys, Reavey says. "With this complex landscape we have with cybercrime, no one vendor or person can solve this problem by themselves. The responsibility is to coordinate and get together as a community," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-31
There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivile...
PUBLISHED: 2020-10-30
NVIDIA CUDA Toolkit, all versions prior to 11.1.1, contains a vulnerability in the NVJPEG library in which an out-of-bounds read or write operation may lead to code execution, denial of service, or information disclosure.
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. The issue affects the following components: Edit feed settings, Edit widget area, Sub site new registration, New category registration. Arbitrary JavaScript may be executed by entering specific characters in the account that can ac...
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. Arbitrary JavaScript may be executed by entering a crafted nickname in blog comments. The issue affects the blog comment component. It is fixed in version 4.4.1.
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is affected by Remote Code Execution (RCE). Code may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The Edit template component is vulnerable. The issue is fixed in version 4.4.1.