On December 31st, a Google researcher discovered and disclosed a privilege escalation bug in Windows. The researcher even reveals a PoC (Proof of Concept) program for the Windows 8.1 weakness. In it, he details how to take advantage of the vulnerability.
Today, Microsoft has issued a call for ‘better coordinated vulnerability disclosure.’ Basically, the issue is straightforward. Some people, including Google, believe that full public disclosure convinces software vendors to fix vulnerabilities quickly and allows affected customers to take quick actions to protect themselves. This is not always “black and white” especially when it’s the competitor’s software you are exposing.
Microsoft disagrees with this method. In fact, Microsoft believes a software vendor should be able to fully assess the potential vulnerability, evaluate the issue against the threat landscape, and issue a fix before disclosing the information to the public. This would prevent an attacker from utilizing the vulnerability when there is no solution to fix the issue.
“Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves. We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment,” Microsoft’s Chris Betz stated in an official blog post. “It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a “fix” before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack. We are in this latter camp.”
See the full story here: A Call for Better Coordinated Vulnerability Disclosure