Microsoft to Introduce Faster Security Disclosures

Starwax writes "Here's a very interesting strategy by Microsoft. After years of complaining about irresponsible disclosure of security alerts by grey hats, Microsoft will now confirm and discuss the vulnerabilities in a new pilot project launching on Tuesday. Advisories will be issued within one business day of a publicly reported security hole along with guidance and mitigation."

Business Day?

[republican gourd]

Microsoft isn't open on weekends? Is that too much to ask a multi-billion dollar company?

Waiting until monday (especially as weekend time is usually the best to schedule downtime) strikes me as a silly idea.

Re:i hate to sound like a total dunce

[DeityAvatar]

Like a True-Neutral alignment in D&D terminology. They're a kit of the Hacker class, focused on searching out and exposing security vulnerabilities in software, and releasing that information to the public at large. Lawful-Good White Hats would be more likely to send in the information to the company without public exposure. Chaotic-Evil Black Hats (crackers) are the types more likely to exploit the vulnerabilities for their own nefarious purposes. Grey Hats are quite cool.

There is still a problem ...

[El Cubano]

Advisories will be issued within one business day of a publicly reported security hole along with guidance and mitigation.

So, Microsoft only will do something if inaction stands to bring them negative attention. What I would like to see from Microsoft (and other commercial and/or closed source vendors) is a commitment to treat the security holes their own developers discover in the same way.

I just don't think it is right to withhold the information, espcially if admins can use it so secure their sites, until the threat of public disclosure by a third party is imminent or past.

Re:Interesting Strategy?

[Eberlin]

Here's the general idea: first be adamantly pissed off when people release bug information publicly (not telling the story that the same folks notified MS about it eons ago only to find Microsoft ignoring them)

Then once enough people catch on to this, create a press-release saying "we're on the ball, we're looking into this, and we're doing all of this because that's what customers want and we do what our customers ask for."

Sounds like standard "Trustworthy Computing" practice to me.

Faster than they currently do?

[Anonymous Coward]

That could be nothing more than moving up from snail races to tortoise races. It's not like Microsoft is fast about these things to begin with anyway.

Woo hoo.

I can hardly contain my excitement.

Re:Security Through Selective Publicity

[Doc Ruby]

It's interesting that MS has been unable to address so many longstanding, and critically serious, problems with Windows. Big ones like security holes/notices/patches, and little ones like "DB filesystem". And all manner between. With their huge financial and labor resources, so comfortably insulated from really compelling competitive pressure, they'd probably solve (or at least meaningfully address) those problems with real action by now, rather than mere marketing prattle, if they could. If they haven't, they probably can't - organizationally, not technically prohibited. Which is the death knell for a large corporation. The bigger they are, the harder they fall. Though with so much of our economy, industry, and even national security dependent on them, it's hard to feel good about them finally getting out of the way sometime, in such a style.

Re:Interesting Strategy?

[DaedalusHKX]

No, I have the same issue, and I've worked for a microsoft partner recently. They do way too much PR and lie entirely too much. I hate M$ and their lies with a passion, even if, beforehand, I had thought people were unjustly hateful of microsoft. Now I know why, firsthand.

And no, you did not misread my statement. I "hate" them. Passionately. And I feel entirely justified. If you dealt with some of the internal mail I've dealt with, any of you with a conscience would never get another hour of sleep. I am fortunate my conscience was on hold for a few months before I woke up and made up my mind to leave that place. What disgusts me more than anything is the way they tell people that IE, or exchange or server 2003 is such a pearl. Heh. Oh yes... it *really* cuts down on the costs. Right. I've sent some hefty bills out in recent months. I cannot read those "lower TCO" "facts" any longer without feeling my stomach tighten painfully. I've seen that "lower TCO". Unless someone does work outside of billable hours, Windows and Microsoft cannot stand on their own. If one reads the content of their filings in the antitrust case they've somehow been acquitted of, one can see that they never could. (I am too lazy to seek out the links, but I've read through it all once before to "disprove" to a customer that MS had lied in court.)

Re:good PR isn't worth people getting hacked...

[10101001 10101001]

You actually think it's okay for a company to release exploit info if they're going to get sufficient PR for it?

If by okay you mean it should be legal, yes. If by okay you mean it should be encouraged, sure. I'd appreciate it if a proper advisory was published at least a day before the exploit was released. But like I said, it's okay legally to print it anytime.

And no, the advisory wouldn't have made this security company's announcement moot. Their announcement contained specifics MS doesn't put in their advisories, like explicit steps to exploit.

You obviously don't understand what an advisory is. A proper advisory list steps to avoid being exploited. This might be as simple as blocking a port or as deep as disabling a service which one needs. As such, a proper advisory by MS would mean that those who took steps to avoid being exploited would not be exploited even if the security company released details about the exploit. Of course, for those unwilling to disable services the release of the exploit doesn't help them, though it might not hurt them any if the exploit is already well known by black hats or other exploits exist which are more convenient to use.

And the company not releasing the exploit info earlier wasn't a favor to MS, it was a favor to us all. A big favor to those who use MS machines and smaller favor to others who would have been affected by a worm circulating the internet or more spam from owned machines.

Just because it was a big favor to everyone doesn't mean it wasn't a favor to MS. MS PR uses the public exploit to patch time as a statistic to try to make their software look better. At the same time, if the company hadn't release the exploit ever there's nothing to have kept MS from silently patching the exploit (like I'm sure it silently patches exploits it finds) without ever making it known there was ever a problem.

Either way, keeping silent two days before the fix is just greedy. It's a PR grab, get the thunder before it goes away. This kind of "I'll get mine, others be damned" hurts us all.

No doubt it's a PR grab, just as sleazy as MS PR. You don't see me calling for an end to MS PR, do you? That doesn't mean I don't criticize MS and MS PR for not doing a better job in the first place to mitigate risk for people. Having stated that, I would love to see the security company releasing a proper advisory and possibly advise replacement software such that the exploit would be moot. If you have any other suggestions on ways the security company could have maximized the security of users, I'm all ears. Obscurity, in this situation, doesn't maximize security.