Security Advisor

Microsoft To Coordinate with Competitors on Flaw Disclosure

Microsoft works with other vendors on vulnerability disclosures, whether they like it or not. Plus: Hackers push Sony gamers offline; Kaspersky Labs wants kidnap rumors to die down.

• By Jabulani Leffall
• 04/26/2011

Right now, the biggest buzz around Windows IT security is Microsoft's new efforts to work with vendors and competitors on "responsibly disclosing" bugs and security threats that touch Redmond's products and services.

Accordingly, the software giant released two new "Microsoft Vulnerability Research Advisories" as part of the newly formed Microsoft Vulnerability Research program. A companion piece outlining Redmond's goals comes in this nine-page document.

The lofty proclamation amounts to a detente of sorts with competitors like Google, and Adobe Systems. In essence, the documents states that when Microsoft discovers a zero-day flaw in another vendor's product, Redmond will throw in its lot to fix the vulnerability before telling anyone.

"If attacks are underway in the wild, and the vendor is still working on the update, then both the finder and vendor work together as closely as possible to provide early public vulnerability disclosure to protect customers," the document stated.

Redmond is calling the program "Coordinated Vulnerability Disclosure" and the move comes nearly a year after Google engineer Tavis Ormandy released proofs of concept for a Windows OS hole after he notified Microsoft, but before Microsoft was able to remediate the issue.

Many in the security community call Microsoft's effort admirable. Microsoft is certainly taking a leadership role and laying down the gauntlet in the process, encouraging other vendors to adopt similar practices (hint, hint). Redmond does admit that going forward such disclosure processes will continue to be a challenge: "Unfortunately, sometimes a vulnerability becomes publicly known or is exploited before a vendor-supplied remediation is available."

Game On for Hackers
With gaming consoles able to download content, It was only a matter of time before those systems would become vulnerable. Over the weekend, Sony PlayStation 3 owners couldn't play any online-based games due to an outage. It's been so extensive that Sony is in the process of rebuilding its network infrastructure to guard against those attacks from now on.

Sony has not disclosed the cause, but did say that it was an "external intrusion." But events that took place earlier this month may offer clues as to what might be at play. Hackers hit PlayStation.com in early April. Sony blamed a hacking group called "Anonymous." Sony also sued two PS3 owners for releasing code that allows third-party software and operating systems to run on the console. The recent outage is seen as direct retaliation, but Anonymous has denied taking part in the denial-of-service onslaught.

The problem wasn't fixed as of this posting. "Our efforts to resolve this matter involve rebuilding our system to further strengthen our network infrastructure," Sony said in a written statement. "Though this task is time-consuming, we decided it was worth the time necessary to provide the system with additional security."

Kaspersky on Kidnap Rumors
All IT security researchers usually have to worry about is vendors angry about early disclosures of vulnerabilities, or hackers infitrating their systems and data. For Eugene Kaspersky, the concept of a security breach took on a whole new meaning, we think.

In something straight out of a mystery novel, rumors circulated that the son of Kaspersky Labs' founder had been abducted on his way to work in Russia. Kidnappers then demanded a $4 million ransom.

A Betanews piece reports that the ransom was paid, but the Kapersky family has been tightlipped about the incident. True or not, Kaspersky Labs said the incident has negatively affected the company: "Eugene Kaspersky continues his day-to-day work at the company, and has stated that the unconfirmed information being spread at the moment is harmful for the company."