Microsoft shows class in disclosing Google zero-day

Still stinging from a Google engineer's untimely disclosure of zero-day attack code, Microsoft leads the way for responsible disclosure

Back in June of last year, Tavis Ormandy, a Google engineer in Switzerland, caused quite a stir. As Gregg Keizer reported at the time, Ormandy told Microsoft about a previously unknown security hole in Windows on June 5, and on June 9 he published a full description of the vulnerability, including proof-of-concept code, on the Full Disclosure mailing list.

Microsoft blew a corporate gasket. Mike Reavey, the director of the Microsoft Security Response Center, blogged the following day, "Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk."

Omandy responded that he was acting on his own behalf, not as a Google employee, but Reavy didn't buy it. The relationship between Microsoft and Google turned from frosty to frigid.

Last week, Microsoft showed its mettle by publicly issuing a new policy and two new "Microsoft Vulnerability Research Advisories" -- a completely new breed of Microsoft malware-fighting animal.

The policy is a nine-page document saying, basically, that when Microsoft discovers a zero-day flaw in some other vendor's product, Microsoft will work with the vendor to fix the vulnerability -- and make sure it's fixed before telling the world: "If attacks are underway in the wild, and the vendor is still working on the update, then both the finder and vendor work together as closely as possible to provide early public vulnerability disclosure to protect customers."

There are exceptions to the private reporting restriction. The policy allows Microsoft to divulge details if the vulnerability becomes known to the public at large, when there's evidence that the vulnerability is being used, or when the vendor doesn't respond.

That last point has become a bone of contention with several security researchers who claim that Microsoft hasn't responded quickly enough -- or, indeed, hasn't responded at all -- to their reports of Microsoft vulnerabilities. To be fair, no one has yet determined precisely how long it takes for a lack of response to result in a vendor being classified as "unresponsive."

Microsoft accompanied the new procedure with two new MSVR advisories, dubbed MSVR11-001 and MSVR11-002. It comes as no surprise that both of them describe previously undocumented security holes in Google products that had been patched by Google. (MSVR11-002 describes a problem in both Google Chrome and Opera.)

Neither vulnerability is particularly interesting. The first one, a buffer overflow, allows arbitrary code to run, but only in the confines of the Chrome sandbox. It was fixed in Chrome Version 6.0.472.59, which was released seven months ago. The second requires advance knowledge of a specific local IP address. It was fixed in Chrome 8.0.552.215, which was released four months ago. Apparently, Microsoft held onto both reports, pending final publication of their new policy.

If you or someone in your organization ever stumbles on a zero-day vulnerability in a software product, take a few minutes to look over Microsoft's policy. I won't get sucked into debating the virtues of Full Disclosure versus Coordinated Disclosure, but it would certainly be instructive to see how Microsoft says it would treat you and your organization if the shoe were on the other foot.

This story, "Microsoft shows class in disclosing Google zero-day," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.


Copyright © 2011 IDG Communications, Inc.

How to choose a low-code development platform