I certainly do not drink all the time. I have to sleep you know - WC Fields
|
|
|
Microsoft becomes responsible software vulnerability discloser
SOFTWARE GIANT Microsoft has tipped its hat in the direction of vulnerability disclosures and promised to let people know when third-party applications are failing.
Some might say that Microsoft should focus on cleaning up its own backyard before commenting on the state of anyone else's, but not Matt Thomlinson, general manager for trustworthy computing security at Microsoft, who apparently thinks that now is the time for the company to stand up and act as an authority about software that is well-designed and secure. (*cough*)
Thomlinson took to the Microsoft security response blog pages to explain some changes at the firm, and explained that Microsoft's "Coordinated Vulnerability Disclosure" (CVD) process is being extended to third party products.
"We're providing more transparency and insight into our disclosure philosophy by announcing three updates to our disclosure practices - a CVD at Microsoft document, MSVR Advisories, and our internal corporate Disclosure of Vulnerabilities policy," he explained.
"The Coordinated Vulnerability Disclosure (CVD) at Microsoft document clarifies how Microsoft responds not only as a vendor impacted by vulnerabilities in its products and services, but as a finder of vulnerabilities in third-party products and services, and as a coordinator of vulnerabilities that affect multiple vendors."
Microsoft has already found fault with Google's Chrome web browser, and has posted two advisories. It added that the problems had been reported to the companies already, and that they had already been fixed. Which they were, over a month ago.
In-house, Microsoft has adopted an internal disclosure of vulnerabilities policy, which should help it stamp out any problems with third party software, and perhaps, its own. This will see its staff report on problems as and when they come across them.
"After a product or service is released, we feel security is a shared responsibility across the broad community. Collaboration between security researchers and vendors is ultimately about preventing attacks and protecting the computing ecosystem," explained Thomlinson.
"By working together through coordinated efforts when vulnerabilities are identified, we can effectively minimise customer risk while a solution is developed. We encourage others to adopt this philosophy in the interest of creating a safer and more trusted Internet for everyone." µ
Tags: Microsoft
Share this:
Share
MS makes silverlight.. that's spy/malware on itself already, as is their handy feature in IE to always send any URL you type in the addressbar to MS search, just so they can be 'secure' in knowing what you visit you know. To name but 2 things.
The reason why things seem more 'secure' is because the people forgot the definition of it, secure from what?
Secure from spying? nope.
Secure in privacy? Nope.
Secure in not having external parties change your software or settings? Nope.
Secure from big conglomerates gathering data to sue you? Nope.
The definition of secure is now 'our company is secure in getting a big chunk of the pie that is your life and privacy and freedom'
So why is Microsoft latestest OS code more secure than any common version of Linux, than Solaris, than OS-X, than pretty much any other OS actually?
(just check www.secunia.org for the vulnerability statistics. Windows 7 licks pretty much every thing.)
It took them near enough 30 years to come up with a decent OS and still that's not secure enough to let run without many extra applications to protect its integrity.
Indeed, MS is the last to criticize. I rather think is yet another attempt to get a grip on 3rd party software MS Certification being such a huge succes and all
Microsoft gets a lot of criticism, but very often it's not deserved.
Take a pretty secure operating system, like Windows XP or Windows 7. Add a layer of manure on it, i.e. applications written and tested (if at all) by incompetents. Then you wonder why your experience stinks and you blame Microsoft. It's silly and unfair.
I'm a developer of .Net applications for a small company. I've read several books on how to write secure code, some even published by Microsoft and written by Microsoft employees. My applications are now more secure, thanks to this. However, lots of other people in my situation don't bother.
The solution is clear: Microsoft will have to write software that writes software. We developers will be out of a job, Skynet will take control of the world, but at least the software will be secure. Besides, nobody will dare look for vulnerabilities any more.
Microsucks is so clueless and unscrupulous that they wouldn't know secure code if someone hit them over the head with it.