• On CBS MoneyWatch: Report: Tiger to Pay Wife $60 Million
August 7, 2008 4:30 PM PDT

Microsoft to seek credit for finding vulnerabilities

by Elinor Mills
  • Font size
  • Print
  • 5 comments
Share

LAS VEGAS--Microsoft is jumping into the responsible disclosure game.

The company announced at the Black Hat security conference on Thursday that it is formalizing its program of informing third-party software vendors of security problems with products that run on top of Windows.

"We've seen the threat environment change," said Andrew Cushman, who runs the Microsoft Security Response Center.

Vista is more secure than XP and has fewer infections, he said. In addition, there are an increasing number of third-party exploits, and fewer browser-based exploits than in third-party software, he added.

The MSRC already reports vulnerabilities to other companies, but now it is asking for recognition in finding the vulnerability. Microsoft will not post advisories on any of the third-party security issues it finds, like it does with vulnerabilities found in its own software, Cushman said.

The issue of responsible disclosure is constantly being debated, with vendors often arguing that researchers are too quick to go public when they find a vulnerability and researchers countering that if they didn't go public the vendors would drag their heels on fixing the problem.

"Microsoft is in a unique position to help in that dimension," he said. "We bring a little different gravitas to the table. I think we can actually change the dynamic around responsible disclosure."

Earlier in the week, Microsoft said it would be giving third-party vendors a sneak peek at the technical details of the vulnerabilities in Microsoft software before the company releases its monthly "Patch Tuesday" updates. The company also announced it would help companies prioritize the vulnerabilities in its updates.

Click here for full coverage of Black Hat 2008.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Topics:

News

Tags:

Black Hat 2008,

Microsoft,

security,

disclosure

Share:
Digg
Del.icio.us
Reddit
advertisement
Click Here
Recent posts from Security
PC Tools Internet Security 2010 reviewed
Google Chrome now bundled with Avast
Some Avast users must reinstall flagged files
Defense Dept. pulls software over privacy issues
Microsoft to plug critical IE hole targeted by exploit code
Google wants to unclog Net's DNS plumbing
Avast update falsely flags good apps as malware
Character limitations in passwords considered harmful
Related
Microsoft patching zero-day Windows 7 SMB hole
Microsoft's weak cloud privacy position
Panda's Cloud Antivirus leaves beta behind
Microsoft probing Windows 7 zero-day hole
EA chief: The Wii is 'weaker than anticipated'
Five tips for safe Web shopping
Zero-day flaw found in Web encryption
E-tailers snagged in marketing 'scam' blame customers
Add a Comment (Log in or register) (5 Comments)
  • prev
  • 1
  • next
by jef5623 August 7, 2008 11:28 PM PDT
i think Microsoft will have to plan Vista's security keeping in view the 7th age of computing.
Reply to this comment
by The_Decider August 9, 2008 9:51 AM PDT
What is this alleged "7th age of computing" you keep babbling about?
by benjaminstraight August 8, 2008 3:02 AM PDT
Good that Microsoft is proactively being part of the solution.
Reply to this comment
by smokinmunky August 8, 2008 6:10 AM PDT
Good on MS. At least they're not afraid to talk about their problems unlike the non communication coming out of some other companies. cough cough apple cough
Reply to this comment
by The_Decider August 11, 2008 11:09 PM PDT
Funny how this "minor" tidbit didn't show up on CNET: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1324395,00.html

"The attacks themselves are not based on any new vulnerabilities in IE or Vista, but instead take advantage of Vista's fundamental architecture and the ways in which Microsoft chose to protect it."
Reply to this comment
(5 Comments)
  • prev
  • 1
  • next
advertisement
Click Here

The yogurt makers of tech: Gadgets to avoid

Don't buy these one-trick ponies--unless you like gizmos that gather dust.

Google wants to unclog Net's DNS plumbing

The Net giant, ever eager for a faster Internet, debuts its Google Public DNS service. With it, Google could become even more central to the Net.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
Click Here
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET