In association with heise online

26 April 2011, 16:19

Microsoft now disclosing third party vulnerabilities

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Microsoft icon Microsoft's vulnerability disclosure program has been expanded to include releasing security vulnerabilities in third party Windows software. The first bulletins released by Microsoft covered an information disclosure flaw common to Google Chrome's and Opera's HTML5 implementation (MSVR11-002) and a use-after-free vulnerability in Chrome (MSVR11-001). Both flaws were fixed several months ago. Both reports appear to have been held back while Microsoft prepared to publish its new policy on vulnerability disclosure.

That new policy, "Coordinated Vulnerability Disclosure at Microsoft", is written up as a nine page document(Docx file) and covers how Microsoft practise revealing flaws in its own and other companies' software, how it will inform other vendors of flaws, including the level of detail in the report, and when it will go public with an MSVR report. In the latter case, Microsoft reserves the right to publish earlier when, prior to a vendor releasing a fix, the technical details of the vulnerability are publicly known or there is evidence of exploitation of the unpatched vulnerability, or if the vendor fails to respond.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit