Microsoft to Introduce Faster Security Disclosures

Starwax writes "Here's a very interesting strategy by Microsoft. After years of complaining about irresponsible disclosure of security alerts by grey hats, Microsoft will now confirm and discuss the vulnerabilities in a new pilot project launching on Tuesday. Advisories will be issued within one business day of a publicly reported security hole along with guidance and mitigation."

Re:Business Day?

[0x461FAB0BD7D2]

Would IT technicians come back on weekends to fix their systems? If not, then making vulnerabilities public at that time only helps script kiddies.

Waiting until Monday ensures that IT guys get a rest too.

Interesting Strategy?

[lecithin]

"Advisories will be issued within one business day of a publicly reported security hole"

If it is already public, does it matter? So, does this mean that if they know of something, they are going to wait until somebody else finds the problem and makes it public before letting their customers (and the rest of the world) know?

I'm missing the interesting strategy on this one. Just sounds like they want us to think that they are being proactive. I dunno. Perhaps I am the only one that thinks that Microsoft is evil.

My favorite line

[portwojc]

when researchers jump the gun and release vulnerability details before a patch is available.

Jump the gun? Oh that's right telling Microsoft there's a security flaw and waiting months before going public is jumping the gun after all.

Gotta love these articles. Nice spin make the researchers look like the bad guys...

At least now we'll get to hear about flaws quicker and that they don't have a patch or a work around.

Re:Business Day?

[Gabey]

Would IT technicians come back on weekends to fix their systems?

A good IT technician would do what it takes to keep their systems secure. Coming in on a weekend isn't asking too much. Too bad good IT technicians are tough to find.

Re:Security Through Selective Publicity

[AstroDrabb]

While a lot of mods modded you up Funny, this is exactly what will happen. MS will just announce the exploits they want. Those exploits will be the ones they have a quick-fix for. MS is all about marketing. MS wants to be able to say, "See, we fixed XXX number of bugs/holes this past year and we fixed each one in 24 hours of "notification"" or less.

MS will just overlook any 'exploit" they cant fix in a timely fashion and say that those exploits/bugs were never reported to them "correctly".

Give me a call when MS becomes a _real_ company and just owns up to the fact that there will always be bugs in code. As a Senior Programmer for a fortune 500, I can back up that statement. Bugs/exploits happen and there is nothing anyone including MS can do about it. The best/only thing MS should do is just have a mailing list that notifies any subscriber about any reported possible bug/exploit. These notifications shouldn't have to go through a bunch of bean-counter.

Re:Business Day?

[0x461FAB0BD7D2]

Good IT technicians do what it takes to keep their systems secure, given their resources. But expecting them to slave over their systems, testing and rolling out every new patch as soon as it's out is ludicrous.

If coming in on a weekend isn't asking too much, where do you draw the line?

Re:Business Day?

[0x461FAB0BD7D2]

Perhaps. However, this is the downside of people making their discoveries public at inappropriate times.

If a system was created where people who discovered the vulnerabilities were credited in the advisories, which would be made public after a solution was found, it would solve pretty much everything.

Then again, Orwell taught me that utopia isn't all it's cracked up to be.

99% marketing, 1% useful, I'm sure

[devitto]

I discussed this with the MS Head of UK security (during a MS/ISSA conference) and he nearly bit my head off. Mostly because I wouldn't back down, saying "You only confirm a problem, and release a fix when you know bad press is on the way." and followed up with "What is the point of announcing 'There is a big windows but out on Tuesday', whithout aenough information to judge impact - either before or after the announcement...

I seriously doubt that this will make any difference, except to CTOs who are getting pressure to go to Linux...

MS is a sales and marketing machine, with massive numbers of legal eagles, and a few software engineers.

Re:i hate to sound like a total dunce

[vsprintf]

It's a big cone shaped hat you have to put on before you sit in the corner.

Okay, can we get the PC police over here? That is no longer allowed because it might damage the self-esteem of people who have no reason to have any. Take the poster away, and book him.

Depends

[Craig Ringer]

I'll head in on a weekend for really critical problems - for example, an OpenSSH vunerability that I know will affect work's firewall. No way do I want to clean up the mess if I leave that unfixed - it sucks much less to go in on a weekend and fix it.

Most security holes are trivially fixed by remote admin anyway. "apt-get update; apt-get upgrade" and you're done in my case, usually. Windows admins have to use RDP/VNC/ICA and Windows Update, but can still get the job done pretty easily.

Of course, if the patch breaks something you need to go in, but in most cases it's really fuss-free.

Re:There is still a problem ...

[innocent_white_lamb]

So if a threat is detected by MS's own engineers it makes sense to not make it public

I couldn't disagree more.

Who's to say that a flaw discovered by MS employees wasn't discovered months ago by the bad guys who have been running rampant over MS-powered sites lo these many months?

If there is a flaw, tell me about it. Then I can make an informed decision to deal with it, which could include shutting down some services, installing patches, doing stuff in a different way that is less exposed to the flaw, or you-name-it. Even pulling the plug.

But if I'm kept in the dark and don't even know that a flaw exists, how am I to deal with it?