Microsoft denies providing US government with vulnerabilities
The outcry over the NSA's PRISM programme continues unabated. In a report on data sharing between the US government and private companies, US news agency Bloomberg claimed that Microsoft has been providing US secret services with information on security vulnerabilities in its products prior to releasing patches.
In the article, Bloomberg's Michael Riley suggests that this information was not solely intended to help protect government computers. The security vulnerabilities could also, he notes, be exploited to access computers being used by terrorists or hostile military. Microsoft has now emailed a statement to a number of media outlets denying all such allegations. "Microsoft has several programs through which we disclose information regarding vulnerabilities, some of which have government participants." It adds that disclosure takes place a short time prior to its monthly patch day.
As an example, it cites the Microsoft Active Protections Program (MAPPS). This forwards information about security vulnerabilities, enabling partner companies to build additional security measures into their software. There is also a Security Cooperation Program (SCP) for governments, which provides technical information on security vulnerabilities prior to patch days. While Microsoft can't exclude the possibility that this information is used by government agencies for hacking attacks, it is doubtful that secret service agencies use information provided by MAPPS and SCP for such purposes.
Government agencies have much better channels for obtaining security vulnerabilities. There are various independent security companies that sell undisclosed vulnerabilities (0-day exploits) to the highest bidder. Government agencies are regular and popular customers, being able to afford much higher prices than the criminal fraternity. Security vulnerabilities traded on the black market rarely find their way to the software company responsible for the vulnerable product, and exploits consequently offer long windows of exploitation.
The full text of Microsoft's statement is as follows:
"Microsoft has several programs through which we disclose information regarding vulnerabilities, some of which have government participants. Prior to any fix being released to the ~1B computers that receive automatic security updates each month, Microsoft communicates with program participants after our engineering cycle is completed to ensure delivery of the most current information. While timing varies slightly each month, disclosure takes place just prior to our security update for billions of customers.
One example is our Microsoft Active Protections Program (MAPP), which supplies Microsoft vulnerability information to security software partners prior to Microsoft's monthly security update release so partners can build enhanced customer protections. Another example of information sharing is the Security Cooperation Program (SCP) for Governments. Membership provides key technical information on security vulnerabilities prior to the security update being publically available. This allows members more time to prioritize creating and disseminating authoritative guidance for increasing network protections."