Microsoft Tweaks Its Bug Disclosure Process
As bug sleuths find and disclose more security holes in Microsoft products, giving the company little or no advance warning, the software titan tries to lower the tensions between all parties in order to better protect users.
In an effort to work more amicably with security researchers who feel Microsoft too often ignores them, the software giant announced it is tweaking its security approach regarding when security researchers disclose new exploits to vendors, hackers, and security administrators.
At the same time, Microsoft (NASDAQ: MSFT) released a "Fixit" program that will automatically implement one of the workarounds the company called out to address a security flaw released by hackers in mid-July that takes advantage of a newly discovered hole in the Windows Shell.
As soon as it surfaced, Microsoft issued a Security Advisory for systems administrators and PC help desk staffers. The company also has now provided a knowledgebase article that explains how to use the fixit program to disable the graphical representation of icons displayed on the Windows Task Bar and Start Menu, which effectively will plug the flaw.
In the meantime, however, the software firm is urging more collegial interactions between software vendors and security researchers, after a group of hackers started an anonymous website, launched in early July, to publish more zero-day exploits in protest of what they view as Microsoft's heavy-handed response to the public disclosures of flaws in Microsoft software.
Microsoft has always called for what it considers "responsible disclosure," but others in the developer community and elsewhere have pushed for more aggressive "full disclosure," essentially the idea that any information about a security flaw should be released as soon as it's known.
Now, Microsoft is trying to tone down the rhetoric and urge more cooperation among all parties, in a philosophical turn it has dubbed "coordinated vulnerability disclosure," according to a post to the Microsoft Security Response Center (MSRC) blog Thursday.
"In recognition of the endless debate between responsible disclosure and full disclosure proponents and its ability to detract from meaningful and productive industry collaboration and customer defense, we believe that the community mindset needs to shift, framing a key point -- that coordination and collaboration are required to resolve issues in a way that minimizes risk and disruption for customers," Matt Thomlinson, general manager of Microsoft's Trustworthy Computing Security, said in the post.
Hackers have repeatedly accused Microsoft over the years of ignoring security flaw reports, often for months and sometimes even years. Some hackers have taken it personally enough to publicly disclose security exploits at the same time as they notify Microsoft.
That, they say, at least gets Microsoft's attention.
In contrast, Microsoft views the public disclosures of such so-called "zero-day" exploits -- meaning the exploit has been revealed before there is a patch -- as putting users' PCs at risk, and putting the company under increased pressure to rush patches out.
Microsoft's latest proposal calls for those who find security vulnerabilities to still report them to the affected vendor in advance of public disclosure of the flaw and ways to exploit them. However, the company is proposing slight adjustments to its previous policy -- mostly, it appears, adjustments in attitudes because the proposal is still very similar to Microsoft's earlier responsible disclosure process.
"The finder allows the vendor an opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before detailed vulnerability or exploit information is shared publicly. [However,] If attacks are underway in the wild, earlier public vulnerability details disclosure can occur with both the finder and vendor working together as closely as possible to provide consistent messaging and guidance to customers to protect themselves," Thomlinson said.
Even Thomlinson admits the company's "coordinated vulnerability disclosure" or CVD, "does not represent a huge departure" from responsible disclosure.
That means, of course, that, as long as the rancor among the various parties persists, little has actually changed.
"As Microsoft shifts its philosophy to this new approach, we are asking the broader security community to embrace the purpose of this shift, which is ultimately about minimizing customer risk -- not amplifying it," Thomlinson added.