Microsoft to Introduce Faster Security Disclosures 101
Starwax writes "Here's a very interesting strategy by Microsoft. After years of complaining about irresponsible disclosure of security alerts by grey hats, Microsoft will now confirm and discuss the vulnerabilities in a new pilot project launching on Tuesday. Advisories will be issued within one business day of a publicly reported security hole along with guidance and mitigation."
Business Day? (Score:4, Interesting)
Waiting until monday (especially as weekend time is usually the best to schedule downtime) strikes me as a silly idea.
Re:i hate to sound like a total dunce (Score:2, Interesting)
There is still a problem ... (Score:4, Interesting)
Advisories will be issued within one business day of a publicly reported security hole along with guidance and mitigation.
So, Microsoft only will do something if inaction stands to bring them negative attention. What I would like to see from Microsoft (and other commercial and/or closed source vendors) is a commitment to treat the security holes their own developers discover in the same way.
I just don't think it is right to withhold the information, espcially if admins can use it so secure their sites, until the threat of public disclosure by a third party is imminent or past.
Re:Interesting Strategy? (Score:2, Interesting)
Then once enough people catch on to this, create a press-release saying "we're on the ball, we're looking into this, and we're doing all of this because that's what customers want and we do what our customers ask for."
Sounds like standard "Trustworthy Computing" practice to me.
Faster than they currently do? (Score:1, Interesting)
Woo hoo.
I can hardly contain my excitement.
Re:Security Through Selective Publicity (Score:3, Interesting)
Re:Interesting Strategy? (Score:2, Interesting)
And no, you did not misread my statement. I "hate" them. Passionately. And I feel entirely justified. If you dealt with some of the internal mail I've dealt with, any of you with a conscience would never get another hour of sleep. I am fortunate my conscience was on hold for a few months before I woke up and made up my mind to leave that place. What disgusts me more than anything is the way they tell people that IE, or exchange or server 2003 is such a pearl. Heh. Oh yes... it *really* cuts down on the costs. Right. I've sent some hefty bills out in recent months. I cannot read those "lower TCO" "facts" any longer without feeling my stomach tighten painfully. I've seen that "lower TCO". Unless someone does work outside of billable hours, Windows and Microsoft cannot stand on their own. If one reads the content of their filings in the antitrust case they've somehow been acquitted of, one can see that they never could. (I am too lazy to seek out the links, but I've read through it all once before to "disprove" to a customer that MS had lied in court.)
Re:good PR isn't worth people getting hacked... (Score:2, Interesting)
If by okay you mean it should be legal, yes. If by okay you mean it should be encouraged, sure. I'd appreciate it if a proper advisory was published at least a day before the exploit was released. But like I said, it's okay legally to print it anytime.
And no, the advisory wouldn't have made this security company's announcement moot. Their announcement contained specifics MS doesn't put in their advisories, like explicit steps to exploit.
You obviously don't understand what an advisory is. A proper advisory list steps to avoid being exploited. This might be as simple as blocking a port or as deep as disabling a service which one needs. As such, a proper advisory by MS would mean that those who took steps to avoid being exploited would not be exploited even if the security company released details about the exploit. Of course, for those unwilling to disable services the release of the exploit doesn't help them, though it might not hurt them any if the exploit is already well known by black hats or other exploits exist which are more convenient to use.
And the company not releasing the exploit info earlier wasn't a favor to MS, it was a favor to us all. A big favor to those who use MS machines and smaller favor to others who would have been affected by a worm circulating the internet or more spam from owned machines.
Just because it was a big favor to everyone doesn't mean it wasn't a favor to MS. MS PR uses the public exploit to patch time as a statistic to try to make their software look better. At the same time, if the company hadn't release the exploit ever there's nothing to have kept MS from silently patching the exploit (like I'm sure it silently patches exploits it finds) without ever making it known there was ever a problem.
Either way, keeping silent two days before the fix is just greedy. It's a PR grab, get the thunder before it goes away. This kind of "I'll get mine, others be damned" hurts us all.
No doubt it's a PR grab, just as sleazy as MS PR. You don't see me calling for an end to MS PR, do you? That doesn't mean I don't criticize MS and MS PR for not doing a better job in the first place to mitigate risk for people. Having stated that, I would love to see the security company releasing a proper advisory and possibly advise replacement software such that the exploit would be moot. If you have any other suggestions on ways the security company could have maximized the security of users, I'm all ears. Obscurity, in this situation, doesn't maximize security.