Microsoft Kicks Off Third-Party Bug Warnings

Pigskin-Referee writes "Microsoft has expanded its vulnerability disclosure policy to include not only those in its own products, but also flaws in third-party software that runs on Microsoft operating systems. These will follow the same practices as the advisories issued for Microsoft's products, and it makes sense, because many users look to Microsoft to ensure that their computers are secure, even when the problem lies with a third-party program. The company will contact and coordinate with the third-party vendor before an advisory is issued."

Good idea

[stopacop]

Since Adobe and Java are widely ignored by the general population because they have hundreds of icons on their system tray. I'm almost to the point of charging $10 extra per customer who ignores these updates.

Java's and Adobe's updates suck.

[Anonymous Coward]

Ah Java and Adobe!

Ya see, I run my XP box as user. The Admin account is used only for Admin. Now, in my user mode, the Java and Adobe update icons show up in the tray and when I click on them, after a while of them doing their thing, I get the "You have to have administrative privileges to perform this update." Can I do a "Run as" on those updates? Nope. Gotta log-off and log back on as the admin. "Switch User"? Turned it off for performance reasons.

Then in Admin mode, gotta re-download all of the updates

Re:

[kevinmenzel]

If only there were solutions to this problem. Maybe if Microsoft ever releases a new version of Windows, there might be a way around some of this stuff. Too bad they haven't released one or two versions since XP came out.

Re:

[Luckyo]

There is an "old" saying in corporate IT: "Friends don't let friends downgrade from XP"

Because fixing all the legacy shit that "upgrade" to vista/7 will break will make you pop more anti-depressants then a trophy wife wed to a jealous 90-year old gay.

Deal with it.

[Pseudonym Authority]

XP is crap grandpa. Just update your fucking applications already and stop using a 236354 year old operating system because your poorly designed program from 1993 can't run without admin rights.

Seriously, are you really bitching that Windows finally has a security model? God damn you people are impossible to please.

Re:

[dragonturtle69]

My experience has been that those Win98/Win 2000/ Win XP applications that fail on Vista/7 fail due to bad or outdated design. Why are they using HKLM or %systemroot%? Allowing that design was part of what made XP and earlier weak.

Re:

[Luckyo]

In what way does it matter? If a user who is in important, or even key position in a company suffers from reduced efficiency because of the upgrade, it's your head that will roll when he/she complains to the boss.

Re:

[dragonturtle69]

Use Win 98 then; single user, admin all the time, security a total afterthought. To be fair, Win 98 was designed before the always on network connections were common, certainly for home users.

Say an honest developer makes an application poorly, requiring it to have administrator access to run, and since it was made poorly, it gets cracked. By giving that application administrator access, you gave up a PC and everything it has accessible. Its network shares, database access using windows authentication

Re:

[Luckyo]

Vast majority of "critical people" in the company wouldn't be able to define what "data access" is in the way you reference it. They don't care either, as it's not part of their job description. An frankly, having seen what they have to work with, I understand why. The intricate details of their work look just as arcane to me as IT's work must look to them.

Point is, there's no need for win98 as you reference it - XP runs pretty much all legacy 16-bit stuff good enough, and being 7 years old most of the arc

Re:

[1u3hr]

My experience has been that those Win98/Win 2000/ Win XP applications that fail on Vista/7 fail due to bad or outdated design. Why are they using HKLM or %systemroot%? Allowing that design was part of what made XP and earlier weak.

And if my work is dependent on that application, which is now not being updated, I don't give a shit as long as the damn thing runs. If it doesn't, I will downgrade my OS if necessary.

Applications are important to users, not OSes.

Re:

[Sam Douglas]

If my work is dependent on an application that no longer runs on modern operating systems, then I have a problem. I will make the application work, and/or try to find a way to not be dependent on unsupported software that will leave me up shit creek in future. Luckily VMs make it easy to run various operating systems as needed, even if modern hardware is poorly supported by them.

Re:vista/7

[TaoPhoenix]

Just a little more time.
Let's get it in the open, Vista was a documented Hail Mary from when they lost two entire years of dev time and started over about 2004. 7 is just what Vista should have been if they had planned better.

So now that 7 got the "housekeeping" done, it's time to see what Windows 8 is, with its plans for App Stores vs. whatever evil media tracking tricks get baked into the OS.

Re:

[gorehog]

Too bad I don't need those versions. Since XP came out I started migrating away from windows. Now I can do most anything I need on linux and the few things I need windows for XP does fine.

Re:

[jones_supa]

Too bad I don't need those versions. Since XP came out I started migrating away from windows.

I did the same thing, although 7 was good enough so I came back. Now I run both Windows and Ubuntu.

Re:

[similar_name]

Installing a document viewer is not necessarily an administrative task. You can install Firefox (Windows XP) without admin privileges. As long as you have write access somewhere.

Re:

[Anaerin]

Ya see, I run my XP box as user. The Admin account is used only for Admin. Now, in my user mode, the Java and Adobe update icons show up in the tray and when I click on them, after a while of them doing their thing, I get the "You have to have administrative privileges to perform this update." Can I do a "Run as" on those updates? Nope. Gotta log-off and log back on as the admin. "Switch User"? Turned it off for performance reasons.

So, let me get this straight, you have enabled a high(er) security policy, and are now complaining when the higher security policy you have implemented gets in the way of something you want to do. Let's try looking at this another way:

Stupid lock makers! I installed deadbolts in my doors for security, but when I'm outside and I see I've left a light on I have to unlock my doors again to turn that light off! Can I do a "teleport into the room"? Nope. Gotta walk to the door and unlock it! X10? Didn't get the

Re:

[ozmanjusri]

but that is STILL not Microsoft fault.

Have you ever used any other operating systems?

Re:

[Anaerin]

As it happens, yes. I have a Debian box running MythTV acting as DVR and NAS for my home network. And the same thing happens on linux - Try to run apt-get from a regular user (without sudo, or without sudo privileges) and you get an error message, as intended. My point still stands - Microsoft is not at fault for shortcomings in other people's products, or for security measures you yourself have implemented. Though I guess this is /., and Microsoft-bashing is pretty much par for the course here.

Re:

[ozmanjusri]

And how does sudo compare to logging out and logging back in as admin for convenience?

Re:

[Pseudonym Authority]

He disabled the Fast User Switching on his own, any inconvenience he has to endure because of that is his own fault.

Re:

[Sam Douglas]

I quite like the approach of just installing to your home directory by default, and offering to install for all users as a secondary option. It works well for single user systems and somewhat limits the damage that can be caused on a multi-user system.

In my opinion too much software is packaged to target some experience in between individual use and corporate use. I like that Google Chrome just installs somewhere and updating just happens without me really being involved or having to prod it along. Minecraf

Re:

[dragonturtle69]

And no, you shouldn't have to be an admin to install a fucking document viewer.

Correct, user applications should install at the user level. Chrome installed on Win 7 for me under a standard user account. Acrord, Flash, Java require admin level, maybe due to where the updated files are placed or registry, and because they are system applications.

Fair comparison to Linux

[hierofalcon]

Finally. Now if they track every product they'll finally be able to fairly compare themselves to Linux distributions.

Re:

[kvvbassboy]

It's *not* a fair comparison for the simple reason that Linux is open source for most part. It can be much harder to find a security vulnerability in a 3rd party software, whereas most applications running on Linux is open source.

Re:

[sortius_nod]

That's utter bullshit. Finding security holes makes little difference if it's open source or not. If you'd subscribed to any of the bug/security mailing lists you'd notice that predominantly it's closed source software popping up with vulnerabilities.

It's not hard to find holes in a leaking boat if you look hard enough, it's just whether the holes are big enough to warrant fixing them.

Re:

[WorBlux]

Not necessarily. Some methods like fuzzing don't require source code analysis. Also being blindsided by and exploit is a sure way to find a bug.

Re:

[gorehog]

That was the point. It's easier to close the security holes in open source than closed source.

Re:

[ozmanjusri]

It's *not* a fair comparison for the simple reason that Linux is open source for most part.

Who gives a rat's arse if it's fair?

I just want to know which is BETTER.

Re:

[kvvbassboy]

I was playing devil's advocate. Linux's system of operation (if you will) is lightyears ahead of Microsoft's "3rd party advisories" when it comes to security.

Re:

[WorBlux]

Mary collect 354 coins, Paul collect 108. Whose coin collection is worth more?

It depends on the value of each coin.

Not a single highly or extremely critical advisory issued for the 2.6 kernel, and 42% of the advisories not critical at all. For Windows 7 42% of the advisories for were highly or extremely critical. 66% of the vulnerabilities of windows 7 are remotely exploitable, vs. 15% of 2.6.x

Beside that your comparing less than two years of history to over 7 as well. In addition the environment a

Interesting "advisories"

[jhoegl]

Anyone else notice their advisories are against competitors?

Yeah... I call BS

Re:

[Bacon Bits]

I noticed that. I also noticed they didn't list the vendors I'd call the major offenders: Adobe (Flash, Reader) and Java. I find it a little unlikely none of those products has no open vulnerabilities. However, it says they're only doing responsible disclosure (CVD) and I would as easily believe that Adobe and Oracle are still unwilling to talk about security problems as much as MS just wants to smear Google and Mozilla (sorry, Opera, nobody really sees you as a threat).

Re:

[Bacon Bits]

OK, I just looked at the vulnerabilities:

http://www.microsoft.com/technet/security/advisory/msvr11-001.mspx [microsoft.com]
Affects: Google Chrome version 6.0.472.55 and earlier

http://www.microsoft.com/technet/security/advisory/msvr11-002.mspx [microsoft.com]
Affects: Google Chrome version 8.0.552.210 and earlier, Opera version 10.62 and earlier

WTF? Google Chrome stable is v10, and Opera stable is v11.10.

Re:

[bloodhawk]

Simple fact is many users do not upgrade even when the upgrade is free. People don't even bother to apply free security patches half the time so why would you expect them to also not be using older versions of free products?

Re:

[Bacon Bits]

Why would someone who doesn't keep their auto-update software up-to-date read MSVR?

Re:

[bloodhawk]

It isn't about THEM reading it. It is about being aware what are the potential dangers out their, whether they are from a rogue user that has installed an old version of chrome on the corporate image or an external user that comes into your system remotely or merely interchanges data with your system, the vulnerability doesn't have to be on your own system to affect you.

Re:

[aztracker1]

Well, whenever chrome starts it updates iirc... so that would be a hard isue to have with chrome, unless it's unpatched in stable.

Re:

[bloodhawk]

It is not a hard issue to have with chrome at all. I work with 2 large government departments that BOTH have this issue, chrome website and update are blocked as it is not something that is supposed to be running on end machines and hence not in their whitelist of sites, but their are always a few users with local desktop admin rights that think it is their god given right to run whatever they want on their machine and put a copy on and NEVER update it.

Re:

[thetoadwarrior]

Chrome updates itself and I doubt most people go through the effort of trying to disable it.

Re:

[blair1q]

Maybe they're being proactive about the ones they get the most complaints about, hence the biggest ones. Since all software has bugs, you can always find something, so if you go by complaint count, you're going to be sorting by user base, so all you're really doing is finding a roundabout way to list software companies by size. And you get to slag on them and call it a service to your customers. And it's probably 100% legal and righteous.

Until the competitors start to pay Microsoft to stop doing it.

Re:Interesting "advisories"

[Bacon Bits]

Maybe they're being proactive about the ones they get the most complaints about, hence the biggest ones.

Yes, that's why I mentioned Adobe Flash, Adobe Reader, and Java JRE and wondered why they're not mentioned. Do you pay any attention at all to how malware infections actually occur? I'm sure #1 is and always will be social engineering, but those three applications have to be in the top 5 based on the number of in-the-wild exploits.

Since all software has bugs, you can always find something, so if you go by complaint count, you're going to be sorting by user base, so all you're really doing is finding a roundabout way to list software companies by size. And you get to slag on them and call it a service to your customers. And it's probably 100% legal and righteous.

One would think that MS would be inclined to post security bulletins for the most severe and most widespread issues. As you say, there are bugs in all software, but informing users about those which are the most severe and the most likely to affect them makes then most sense. Nobody cares if Firefox 2.0 has a security vulnerability because nobody uses it and so nobody exploits it. Nobody is going to write an exploit today for a vulnerability which closed over six months ago on a piece of software which is several versions out of date on software which automatically updates itself. It's ludicrous to spend the time warn people about it, and since MS does have a potential conflict of interest by listing 3rd party software, it makes even less sense to only issue security warnings on software they are in direct competition with because that will only serve to call into question MS's impartiality.

Until the competitors start to pay Microsoft to stop doing it.

That will not happen. Read the article. MS is using CVD (aka responsible disclosure) while issuing these reports. Why would a vendor pay to get MS to stop issuing alerts based on cooperative vulnerability disclosures?

Re:Interesting "advisories"

[egamma]

Anyone else notice their advisories are against competitors? Yeah... I call BS

Are you calling BS because you do not think that other companies besides MS have vulnerabilities in their products?

Or are you calling BS because you believe that MS should keep quiet about vulnerabilities they find in products other than their own?

And yes...I am calling BS on your calling BS.

Re:

[jhoegl]

I was pretty clear about why I called BS.
But maybe it wasnt clear enough.
I call BS on the "Advisories" because....

Ah hell with it, Im not responding to a troll, except this response and only this response. No more responses after this response of me responding to the troll.

Re:

[Aladrin]

Do you actually think they will disclose vulnerabilities without the approval of the company? Then re-read the summary. It says right there that they will coordinate with the third party before the advisory is issued.

Even if they wanted to, if their disclosure cost the third party money, they could be sued. They won't risk that.

So his 'bs call' is perfectly legit.

Re:

[kvvbassboy]

Depends on who the "competitors" are. Mozilla? Google? Do you really think Microsoft Research will pull out such a stunt? As far as I can seem it's the dickweeds at the corporate side of Microsoft who bring down its reputation.

Pay No Attention

[0100010001010011]

To the bugs behind the OS.

Internet Malware ..

[doperative]

> Pay no attention to the the bugs behind the OS.

And what ever you do don't mention WIndows, talk about Internet malware instead ... :)

Anything that is an improvement

[cyberfin]

to any systems security is welcome. I do think however that MS should have introduced this directly with the launch of W7. So much could have been done by now.

Where exactly are these being announced?

[Repossessed]

There's nothing concerning Chrome or Opera in the Microsoft Security Advisory RSS feed.

Really?

[93 Escort Wagon]

because many users look to Microsoft to ensure that their computers are secure

Okay, that explains a lot.

A move I agree with!

[erroneus]

Finally something Microsoft is doing right. Fact is, "Windows" it vulnerable as hell not only because of their own crap, but the crap of others... and truth be told, it's probably more other crap that does more damage to Windows than anything else. Okay so there's a combination of stupid in effect... Microsoft can't seem to limit the applications and drivers to prevent them from doing bad things (as they should) and bad apps need backward compatibility... yeah... no... not really but Microsoft seems to think so.

Anyway, keep doing that and a little more and I won't hate Microsoft OSes so much.

Re:

[jhoegl]

I would agree with you if they called out Adobe, Java, IRC programs, News viewers, file sharing, firewalls, routers, server software, websites, etc.

But instead they call out browsers. Browsers that have significant market share on them.
Not only that, but Old browsers with old bugs. I mean if we were to do that we should call out Windows 95/WindowsNT/2000/2003RC1/Vista bugs that they havent patched.
Not because they dont support them anymore, but because they are still not fixed in that release iteration.

Re:

[Yunzil]

bad apps need backward compatibility... yeah... no... not really but Microsoft seems to think so.

Actually, you mean "yeah, and Microsoft is right."

Full-Time Jobs For All!

[tunapez]

Wow, this endeavor could very well add thousands, or 10's of thousands, of new jobs to the economy. Or, it's a PR campaign to push IE9, et al MS apps.
 
  Hmmm, which is more likely?

If you REALLY want to make Windows secure

[TClevenger]

Add Adobe Flash, Adobe Reader and Java to Windows Automatic Updates. That will resolve 90% of the issues.

Re:

[jones_supa]

This is actually a great idea. Windows also should have some kind of "third party repositories" in the update system.

Re:

[Bacon Bits]

The registry is no worse and no more complex than /boot/, /dev/, /etc/, and parts of /lib/ combined. That's all the registry is, with a little /home/ thrown in for HKCU. If you honestly believe otherwise, you've honestly never dealt with either system for any extended period with any applications of consequence. It takes maybe one or two hours of serious study to understand how the registry is laid out and what each bit does for the system. It's not hard. People are just intimidated. They think that e

vulnerability lies with a third-party program?

[doperative]

"Microsoft has expanded its vulnerability disclosure policy to include not only those in its own products, but also flaws in third-party software that runs on Microsoft operating systems. These will follow the same practices as the advisories issued for Microsoft's products, and it makes sense, because many users look to Microsoft to ensure that their computers are secure, even when the problem lies with a third-party program. The company will contact and coordinate with the third-party vendor before an adv

Dilution

[gorehog]

A large number of the security holes in Windows apps are caused by flaws in Windows libraries. Calling out others who have used your flawed library has the effect of diluting warnings about yourself. MS won't look so bad if they point their finger at others and say "see, theirs sucks too!"

Cool!

[justforgetme]

Now spamers will have one more vector for scareware distribution!!!

Oh, I so love this world!!!!