Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Kicks Off Third-Party Bug Warnings

Posted by Soulskill on from the somebody's-got-a-case-of-the-patch-tuesdays dept.

Pigskin-Referee writes "Microsoft has expanded its vulnerability disclosure policy to include not only those in its own products, but also flaws in third-party software that runs on Microsoft operating systems. These will follow the same practices as the advisories issued for Microsoft's products, and it makes sense, because many users look to Microsoft to ensure that their computers are secure, even when the problem lies with a third-party program. The company will contact and coordinate with the third-party vendor before an advisory is issued."

4 of 86 comments (clear)

  1. Interesting "advisories" by jhoegl · · Score: 1, Insightful

    Anyone else notice their advisories are against competitors?

    Yeah... I call BS

    1. Re:Interesting "advisories" by egamma · · Score: 3, Insightful

      Anyone else notice their advisories are against competitors? Yeah... I call BS

      Are you calling BS because you do not think that other companies besides MS have vulnerabilities in their products?

      Or are you calling BS because you believe that MS should keep quiet about vulnerabilities they find in products other than their own?

      And yes...I am calling BS on your calling BS.

      --
      Battlemaster--Game with friends in medival realms
    2. Re:Interesting "advisories" by Bacon+Bits · · Score: 4, Insightful

      Maybe they're being proactive about the ones they get the most complaints about, hence the biggest ones.

      Yes, that's why I mentioned Adobe Flash, Adobe Reader, and Java JRE and wondered why they're not mentioned. Do you pay any attention at all to how malware infections actually occur? I'm sure #1 is and always will be social engineering, but those three applications have to be in the top 5 based on the number of in-the-wild exploits.

      Since all software has bugs, you can always find something, so if you go by complaint count, you're going to be sorting by user base, so all you're really doing is finding a roundabout way to list software companies by size. And you get to slag on them and call it a service to your customers. And it's probably 100% legal and righteous.

      One would think that MS would be inclined to post security bulletins for the most severe and most widespread issues. As you say, there are bugs in all software, but informing users about those which are the most severe and the most likely to affect them makes then most sense. Nobody cares if Firefox 2.0 has a security vulnerability because nobody uses it and so nobody exploits it. Nobody is going to write an exploit today for a vulnerability which closed over six months ago on a piece of software which is several versions out of date on software which automatically updates itself. It's ludicrous to spend the time warn people about it, and since MS does have a potential conflict of interest by listing 3rd party software, it makes even less sense to only issue security warnings on software they are in direct competition with because that will only serve to call into question MS's impartiality.

      Until the competitors start to pay Microsoft to stop doing it.

      That will not happen. Read the article. MS is using CVD (aka responsible disclosure) while issuing these reports. Why would a vendor pay to get MS to stop issuing alerts based on cooperative vulnerability disclosures?

      --
      The road to tyranny has always been paved with claims of necessity.
  2. If you REALLY want to make Windows secure by TClevenger · · Score: 4, Insightful

    Add Adobe Flash, Adobe Reader and Java to Windows Automatic Updates. That will resolve 90% of the issues.