Microsoft kicks off third-party bug warnings with two for Chrome

Google patched the bugs in September and December 2010

Microsoft today released a pair of security advisories for Chrome, the browser built by rival Google.

One of the advisories also called out a vulnerability in Opera.

The change is part of an expansion of the vulnerability disclosure policy Microsoft launched last summer, said Mike Reavey, the director of the Microsoft Security Response Center (MSRC).

The bugs were discovered by Microsoft researchers, and reported to the security teams responsible for Chrome and Opera. Google patched the two Chrome vulnerabilities last September and December; Opera fixed its browser flaw in October 2010.

The advisories were the first ever from Microsoft for bugs in third-party products. According to Reavey, they will be followed by others, as necessary. "If we're in a situation where we find a vulnerability in some other vendor's product, we will release an advisory ourselves," said Reavey.

At times, those advisories will appear before the affected vendor has a patch ready for users, Reavey acknowledged. "If there's an attack [ongoing], we'll release an advisory, most of the time with workarounds and mitigations, but we will continue to coordinate when we do so," he said.

In no instance will Microsoft issue an advisory on someone else's software without first contacting and coordinating work with the other vendor, Reavey stressed.

Microsoft follows the same practice for flaws its researchers find in the company's own software, pointed out Andrew Storms, director of security operations for nCircle Security.

Storms applauded the move, largely because of his high opinion on the advisories the company produces for its own code. Microsoft's advisories are much more thorough than those from most rivals, he said, and more easily digestible.

This isn't a sudden shift, said Storms. "Back in 2008 at [the] Black Hat [security conference], Microsoft said they were interested in finding vulnerabilities in the entire Windows ecosystem. It took them three years to get it going," he said.

Microsoft kicked off its Microsoft Vulnerability Research (MSVR) program in August 2008, saying then that its security researchers would report bugs they found to third-party developers, and coordinate with those vendors to make sure details did not go public before a patch was in place.

At the time, however, Microsoft said it would not issue security advisories for third-party software.

Today's advisories were part of a larger announcement by Microsoft that made public details of its bug policy, which it dubbed "coordinated vulnerability disclosure," or CVD, almost nine months ago.

Last July, Microsoft said it would drop the term "responsible disclosure" used to describe the back-and-forth between bug finders and vendors, and instead use the new moniker CVD. At the time, Microsoft admitted the move was primarily a name change designed to eliminate what it said was the "emotional" context of the older term.

Microsoft published the policy today -- something it had not done last year -- and asked that others in the security community "embrace the purpose of this shift, which is ultimately about minimizing customer risk, not amplifying it."

Today's advisories are a demonstration of that policy in action, said Reavey, who also acknowledged that future advisories will address complaints that critics had aired about CVD.

"One thing we hear from 'full disclosure' [proponents' is that customers can be put at risk with CVD," he said, talking about the opposing philosophy by some researchers, who believe in making vulnerabilities public to push vendors' patching pace. Advisories that Microsoft issues down the road about bugs that lack a patch are an attempt to answer those critics.

Microsoft also made public a policy that's been in place since November 2010 that requires all employees to follow the CVD guidelines, and report bugs in third-party products to the MSVR program. The new rules for internal researchers applies whether they found the flaws on company time, or their own, said Reavey.

When asked whether Microsoft expects others to follow its lead -- some Google security engineers, for instance, have released information about Windows bugs before Microsoft had patches ready -- Reavey didn't answer directly.

"In general, this is the shift we would like to see the industry move toward," he said.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsGoogleMicrosoftsecurityWindowsbrowserssoftwareMalware and Vulnerabilitiesoperating systems

More about Andrew Corporation (Australia)AppleGoogleMicrosoftnCircleTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place