Leave a comment

Microsoft: ‘We urge Google to make protection of customers our collective primary goal’


Microsoft: 'We urge Google to make protection of customers our collective primary goal'

On December 31st, a Google researcher discovered and disclosed a privilege escalation bug in Windows. The researcher even reveals a PoC (Proof of Concept) program for the Windows 8.1 weakness. In it, he details how to take advantage of the vulnerability.

Today, Microsoft has issued a call for ‘better coordinated vulnerability disclosure.’ Basically, the issue is straightforward. Some people, including Google, believe that full public disclosure convinces software vendors to fix vulnerabilities quickly and allows affected customers to take quick actions to protect themselves. This is not always “black and white” especially when it’s the competitor’s software you are exposing.

Microsoft disagrees with this method. In fact, Microsoft believes a software vendor should be able to fully assess the potential vulnerability, evaluate the issue against the threat landscape, and issue a fix before disclosing the information to the public. This would prevent an attacker from utilizing the vulnerability when there is no solution to fix the issue.

“Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves. We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment,” Microsoft’s Chris Betz stated in an official blog post. “It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a “fix” before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack. We are in this latter camp.”

See the full story here: A Call for Better Coordinated Vulnerability Disclosure

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: