• On BNET: 3 worst things about the iPhone 3G S
August 7, 2008 4:30 PM PDT

Microsoft to seek credit for finding vulnerabilities

by Elinor Mills

LAS VEGAS--Microsoft is jumping into the responsible disclosure game.

The company announced at the Black Hat security conference on Thursday that it is formalizing its program of informing third-party software vendors of security problems with products that run on top of Windows.

"We've seen the threat environment change," said Andrew Cushman, who runs the Microsoft Security Response Center.

Vista is more secure than XP and has fewer infections, he said. In addition, there are an increasing number of third-party exploits, and fewer browser-based exploits than in third-party software, he added.

The MSRC already reports vulnerabilities to other companies, but now it is asking for recognition in finding the vulnerability. Microsoft will not post advisories on any of the third-party security issues it finds, like it does with vulnerabilities found in its own software, Cushman said.

The issue of responsible disclosure is constantly being debated, with vendors often arguing that researchers are too quick to go public when they find a vulnerability and researchers countering that if they didn't go public the vendors would drag their heels on fixing the problem.

"Microsoft is in a unique position to help in that dimension," he said. "We bring a little different gravitas to the table. I think we can actually change the dynamic around responsible disclosure."

Earlier in the week, Microsoft said it would be giving third-party vendors a sneak peek at the technical details of the vulnerabilities in Microsoft software before the company releases its monthly "Patch Tuesday" updates. The company also announced it would help companies prioritize the vulnerabilities in its updates.

Click here for full coverage of Black Hat 2008.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Topics:

News

Tags:

Black Hat 2008,

Microsoft,

security,

disclosure

Share:
Digg
Del.icio.us
Reddit
advertisement
Click here!
Recent posts from Security
Report: Problems stymie U.S. cyberspy protection
Symantec's Ramzan on solving the antivirus puzzle
Apple fixing iPhone SMS security hole
Waledac worm targeting July 4 spam offensive
ATM vendor gets security talk pulled from conferences
Postini: Google's take on e-mail security
Botnets lead the way for spam
Stallman warns of Mono 'risk'
Related
Add a Comment (Log in or register) (5 Comments)
  • prev
  • 1
  • next
by jef5623 August 7, 2008 11:28 PM PDT
i think Microsoft will have to plan Vista's security keeping in view the 7th age of computing.
Reply to this comment
by The_Decider August 9, 2008 9:51 AM PDT
What is this alleged "7th age of computing" you keep babbling about?
by benjaminstraight August 8, 2008 3:02 AM PDT
Good that Microsoft is proactively being part of the solution.
Reply to this comment
by smokinmunky August 8, 2008 6:10 AM PDT
Good on MS. At least they're not afraid to talk about their problems unlike the non communication coming out of some other companies. cough cough apple cough
Reply to this comment
by The_Decider August 11, 2008 11:09 PM PDT
Funny how this "minor" tidbit didn't show up on CNET: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1324395,00.html

"The attacks themselves are not based on any new vulnerabilities in IE or Vista, but instead take advantage of Vista's fundamental architecture and the ways in which Microsoft chose to protect it."
Reply to this comment
(5 Comments)
  • prev
  • 1
  • next
advertisement

Making sense of Windows 7 upgrades

faq The basics and the fine print on Microsoft's options for those eyeing the next operating system from Redmond.
• Full Windows 7 coverage

Road Trip 2009: Big Sky Country

CNET News reporter Daniel Terdiman takes his car full of gadgets to the Rockies and the Great Plains in search of tech, science, nature, and more.
• America's Fortress: Cheyenne Mountain

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET