Microsoft Kicks Off Third-Party Bug Warnings

Pigskin-Referee writes "Microsoft has expanded its vulnerability disclosure policy to include not only those in its own products, but also flaws in third-party software that runs on Microsoft operating systems. These will follow the same practices as the advisories issued for Microsoft's products, and it makes sense, because many users look to Microsoft to ensure that their computers are secure, even when the problem lies with a third-party program. The company will contact and coordinate with the third-party vendor before an advisory is issued."

Good idea

[stopacop]

Since Adobe and Java are widely ignored by the general population because they have hundreds of icons on their system tray. I'm almost to the point of charging $10 extra per customer who ignores these updates.

Fair comparison to Linux

[hierofalcon]

Finally. Now if they track every product they'll finally be able to fairly compare themselves to Linux distributions.

Re:Fair comparison to Linux

[kvvbassboy]

It's *not* a fair comparison for the simple reason that Linux is open source for most part. It can be much harder to find a security vulnerability in a 3rd party software, whereas most applications running on Linux is open source.

Re:Fair comparison to Linux

[sortius_nod]

That's utter bullshit. Finding security holes makes little difference if it's open source or not. If you'd subscribed to any of the bug/security mailing lists you'd notice that predominantly it's closed source software popping up with vulnerabilities.

It's not hard to find holes in a leaking boat if you look hard enough, it's just whether the holes are big enough to warrant fixing them.

Re:Fair comparison to Linux

[ozmanjusri]

It's *not* a fair comparison for the simple reason that Linux is open source for most part.

Who gives a rat's arse if it's fair?

I just want to know which is BETTER.

Re:Fair comparison to Linux

[kvvbassboy]

I was playing devil's advocate. Linux's system of operation (if you will) is lightyears ahead of Microsoft's "3rd party advisories" when it comes to security.

Re:Fair comparison to Linux

[gorehog]

That was the point. It's easier to close the security holes in open source than closed source.

Re:Fair comparison to Linux

[WorBlux]

Not necessarily. Some methods like fuzzing don't require source code analysis. Also being blindsided by and exploit is a sure way to find a bug.

Interesting "advisories"

[jhoegl]

Anyone else notice their advisories are against competitors?

Yeah... I call BS

Re:Interesting "advisories"

[Bacon+Bits]

I noticed that. I also noticed they didn't list the vendors I'd call the major offenders: Adobe (Flash, Reader) and Java. I find it a little unlikely none of those products has no open vulnerabilities. However, it says they're only doing responsible disclosure (CVD) and I would as easily believe that Adobe and Oracle are still unwilling to talk about security problems as much as MS just wants to smear Google and Mozilla (sorry, Opera, nobody really sees you as a threat).

Re:Interesting "advisories"

[egamma]

Anyone else notice their advisories are against competitors? Yeah... I call BS

Are you calling BS because you do not think that other companies besides MS have vulnerabilities in their products?

Or are you calling BS because you believe that MS should keep quiet about vulnerabilities they find in products other than their own?

And yes...I am calling BS on your calling BS.

Re:Interesting "advisories"

[jhoegl]

I was pretty clear about why I called BS.
But maybe it wasnt clear enough.
I call BS on the "Advisories" because....

Ah hell with it, Im not responding to a troll, except this response and only this response. No more responses after this response of me responding to the troll.

Re:Interesting "advisories"

[Bacon+Bits]

OK, I just looked at the vulnerabilities:

http://www.microsoft.com/technet/security/advisory/msvr11-001.mspx
Affects: Google Chrome version 6.0.472.55 and earlier

http://www.microsoft.com/technet/security/advisory/msvr11-002.mspx
Affects: Google Chrome version 8.0.552.210 and earlier, Opera version 10.62 and earlier

WTF? Google Chrome stable is v10, and Opera stable is v11.10.

Re:Interesting "advisories"

[Aladrin]

Do you actually think they will disclose vulnerabilities without the approval of the company? Then re-read the summary. It says right there that they will coordinate with the third party before the advisory is issued.

Even if they wanted to, if their disclosure cost the third party money, they could be sued. They won't risk that.

So his 'bs call' is perfectly legit.

Re:Interesting "advisories"

[kvvbassboy]

Depends on who the "competitors" are. Mozilla? Google? Do you really think Microsoft Research will pull out such a stunt? As far as I can seem it's the dickweeds at the corporate side of Microsoft who bring down its reputation.

Re:Interesting "advisories"

[blair1q]

Maybe they're being proactive about the ones they get the most complaints about, hence the biggest ones. Since all software has bugs, you can always find something, so if you go by complaint count, you're going to be sorting by user base, so all you're really doing is finding a roundabout way to list software companies by size. And you get to slag on them and call it a service to your customers. And it's probably 100% legal and righteous.

Until the competitors start to pay Microsoft to stop doing it.

Re:Interesting "advisories"

[bloodhawk]

Simple fact is many users do not upgrade even when the upgrade is free. People don't even bother to apply free security patches half the time so why would you expect them to also not be using older versions of free products?

Re:Interesting "advisories"

[Bacon+Bits]

Why would someone who doesn't keep their auto-update software up-to-date read MSVR?

Re:Interesting "advisories"

[Bacon+Bits]

Maybe they're being proactive about the ones they get the most complaints about, hence the biggest ones.

Yes, that's why I mentioned Adobe Flash, Adobe Reader, and Java JRE and wondered why they're not mentioned. Do you pay any attention at all to how malware infections actually occur? I'm sure #1 is and always will be social engineering, but those three applications have to be in the top 5 based on the number of in-the-wild exploits.

Since all software has bugs, you can always find something, so if you go by complaint count, you're going to be sorting by user base, so all you're really doing is finding a roundabout way to list software companies by size. And you get to slag on them and call it a service to your customers. And it's probably 100% legal and righteous.

One would think that MS would be inclined to post security bulletins for the most severe and most widespread issues. As you say, there are bugs in all software, but informing users about those which are the most severe and the most likely to affect them makes then most sense. Nobody cares if Firefox 2.0 has a security vulnerability because nobody uses it and so nobody exploits it. Nobody is going to write an exploit today for a vulnerability which closed over six months ago on a piece of software which is several versions out of date on software which automatically updates itself. It's ludicrous to spend the time warn people about it, and since MS does have a potential conflict of interest by listing 3rd party software, it makes even less sense to only issue security warnings on software they are in direct competition with because that will only serve to call into question MS's impartiality.

Until the competitors start to pay Microsoft to stop doing it.

That will not happen. Read the article. MS is using CVD (aka responsible disclosure) while issuing these reports. Why would a vendor pay to get MS to stop issuing alerts based on cooperative vulnerability disclosures?

Re:Interesting "advisories"

[bloodhawk]

It isn't about THEM reading it. It is about being aware what are the potential dangers out their, whether they are from a rogue user that has installed an old version of chrome on the corporate image or an external user that comes into your system remotely or merely interchanges data with your system, the vulnerability doesn't have to be on your own system to affect you.

Re:Interesting "advisories"

[aztracker1]

Well, whenever chrome starts it updates iirc... so that would be a hard isue to have with chrome, unless it's unpatched in stable.

Re:Interesting "advisories"

[bloodhawk]

It is not a hard issue to have with chrome at all. I work with 2 large government departments that BOTH have this issue, chrome website and update are blocked as it is not something that is supposed to be running on end machines and hence not in their whitelist of sites, but their are always a few users with local desktop admin rights that think it is their god given right to run whatever they want on their machine and put a copy on and NEVER update it.

Re:Interesting "advisories"

[thetoadwarrior]

Chrome updates itself and I doubt most people go through the effort of trying to disable it.

Pay No Attention

[0100010001010011]

To the bugs behind the OS.

Anything that is an improvement

[cyberfin]

to any systems security is welcome. I do think however that MS should have introduced this directly with the launch of W7. So much could have been done by now.

Where exactly are these being announced?

[Repossessed]

There's nothing concerning Chrome or Opera in the Microsoft Security Advisory RSS feed.

Java's and Adobe's updates suck.

Ah Java and Adobe!

Ya see, I run my XP box as user. The Admin account is used only for Admin. Now, in my user mode, the Java and Adobe update icons show up in the tray and when I click on them, after a while of them doing their thing, I get the "You have to have administrative privileges to perform this update." Can I do a "Run as" on those updates? Nope. Gotta log-off and log back on as the admin. "Switch User"? Turned it off for performance reasons.

Then in Admin mode, gotta re-download all of the updates again and then do the install.

So, what if your customers, or least the people using those machines, don't have admin access?

Oh, I don't have that problem with any of Microsoft's products, btw.

iTunes on Windows sucks too.

Listen Windows devs, not everyone runs their machines as Admins all the time! Geeze!

And no, you shouldn't have to be an admin to install a fucking document viewer.

Re:Java's and Adobe's updates suck.

[similar_name]

Installing a document viewer is not necessarily an administrative task. You can install Firefox (Windows XP) without admin privileges. As long as you have write access somewhere.

Re:Java's and Adobe's updates suck.

[Anaerin]

Ya see, I run my XP box as user. The Admin account is used only for Admin. Now, in my user mode, the Java and Adobe update icons show up in the tray and when I click on them, after a while of them doing their thing, I get the "You have to have administrative privileges to perform this update." Can I do a "Run as" on those updates? Nope. Gotta log-off and log back on as the admin. "Switch User"? Turned it off for performance reasons.

So, let me get this straight, you have enabled a high(er) security policy, and are now complaining when the higher security policy you have implemented gets in the way of something you want to do. Let's try looking at this another way:

Stupid lock makers! I installed deadbolts in my doors for security, but when I'm outside and I see I've left a light on I have to unlock my doors again to turn that light off! Can I do a "teleport into the room"? Nope. Gotta walk to the door and unlock it! X10? Didn't get the wireless option for performance reasons

It's the same kind of argument you're trying here. Some might say that the Java updater should change it's prompt if you don't have administrative rights (and/or change it's behaviour, so it doesn't bother downloading an update you can't install), but that is STILL not Microsoft fault. And, in fact, in Vista and 7, with UAC, have enabled you to do exactly as you intend, and given that XP's support is being sunset shortly, it would behoove you to update. And, for reference, Windows 7 with Aero disabled has comparable (or better) performance than Windows XP. Oh, and you CAN do a RunAs, you just need to do it from Windows - The "Update notifier" applications don't have that capability, but if you find where it downloaded the installer to, you can install it using RunAs from there.

Then in Admin mode, gotta re-download all of the updates again and then do the install.

Because it's a completely different user, and for security reasons one user's programs can't access another user's area

So, what if your customers, or least the people using those machines, don't have admin access?

You find someone (your IT manager, or the person who implemented the higher security policy) who does have admin access.

And no, you shouldn't have to be an admin to install a fucking document viewer.

Why the hell not? Software is software, no matter what it does. Your "Fucking document viewer" might have any number of other functions, including formatting the entire system if it so desires, not to mention adding files to the system (DLL/COM components/Default associations) and making all kinds of changes. The OS has no idea what a program is and what it does, just that it's something new and therefore needs approval. Or do you want an "Evil" bit to be set in programs. Just how well do you think that would work?

Re:Java's and Adobe's updates suck.

[Luckyo]

There is an "old" saying in corporate IT: "Friends don't let friends downgrade from XP"

Because fixing all the legacy shit that "upgrade" to vista/7 will break will make you pop more anti-depressants then a trophy wife wed to a jealous 90-year old gay.

Re:Java's and Adobe's updates suck.

[ozmanjusri]

but that is STILL not Microsoft fault.

Have you ever used any other operating systems?

Re:Java's and Adobe's updates suck.

[Anaerin]

As it happens, yes. I have a Debian box running MythTV acting as DVR and NAS for my home network. And the same thing happens on linux - Try to run apt-get from a regular user (without sudo, or without sudo privileges) and you get an error message, as intended. My point still stands - Microsoft is not at fault for shortcomings in other people's products, or for security measures you yourself have implemented. Though I guess this is /., and Microsoft-bashing is pretty much par for the course here.

Re:Java's and Adobe's updates suck.

[ozmanjusri]

And how does sudo compare to logging out and logging back in as admin for convenience?

Re:Java's and Adobe's updates suck.

[Pseudonym+Authority]

He disabled the Fast User Switching on his own, any inconvenience he has to endure because of that is his own fault.

Re:Java's and Adobe's updates suck.

[dragonturtle69]

My experience has been that those Win98/Win 2000/ Win XP applications that fail on Vista/7 fail due to bad or outdated design. Why are they using HKLM or %systemroot%? Allowing that design was part of what made XP and earlier weak.

Re:Java's and Adobe's updates suck.

[dragonturtle69]

And no, you shouldn't have to be an admin to install a fucking document viewer.

Correct, user applications should install at the user level. Chrome installed on Win 7 for me under a standard user account. Acrord, Flash, Java require admin level, maybe due to where the updated files are placed or registry, and because they are system applications.

Re:Java's and Adobe's updates suck.

[Luckyo]

In what way does it matter? If a user who is in important, or even key position in a company suffers from reduced efficiency because of the upgrade, it's your head that will roll when he/she complains to the boss.

Re:Java's and Adobe's updates suck.

[1u3hr]

My experience has been that those Win98/Win 2000/ Win XP applications that fail on Vista/7 fail due to bad or outdated design. Why are they using HKLM or %systemroot%? Allowing that design was part of what made XP and earlier weak.

And if my work is dependent on that application, which is now not being updated, I don't give a shit as long as the damn thing runs. If it doesn't, I will downgrade my OS if necessary.

Applications are important to users, not OSes.

Re:Java's and Adobe's updates suck.

[gorehog]

Too bad I don't need those versions. Since XP came out I started migrating away from windows. Now I can do most anything I need on linux and the few things I need windows for XP does fine.

Re:Java's and Adobe's updates suck.

[dragonturtle69]

Use Win 98 then; single user, admin all the time, security a total afterthought. To be fair, Win 98 was designed before the always on network connections were common, certainly for home users.

Say an honest developer makes an application poorly, requiring it to have administrator access to run, and since it was made poorly, it gets cracked. By giving that application administrator access, you gave up a PC and everything it has accessible. Its network shares, database access using windows authentication and anything else it has are all available because of laziness. That's why you should care what applications have admin access.

The critical people in the company need to understand why the data they access needs to be kept safe. Someone complaining about UAC is like someone complaining about needing to unlock/lock their doors.

Re:Java's and Adobe's updates suck.

[jones_supa]

Too bad I don't need those versions. Since XP came out I started migrating away from windows.

I did the same thing, although 7 was good enough so I came back. Now I run both Windows and Ubuntu.

Re:Java's and Adobe's updates suck.

[Luckyo]

Vast majority of "critical people" in the company wouldn't be able to define what "data access" is in the way you reference it. They don't care either, as it's not part of their job description. An frankly, having seen what they have to work with, I understand why. The intricate details of their work look just as arcane to me as IT's work must look to them.

Point is, there's no need for win98 as you reference it - XP runs pretty much all legacy 16-bit stuff good enough, and being 7 years old most of the arcane stuff has already been made to work with XP.

Same cannot be said about 7 - not by a long shot. And that is the main problem why no one sane lets IT upgrade key personnel that don't specifically request 7.

Re:Java's and Adobe's updates suck.

[Sam+Douglas]

If my work is dependent on an application that no longer runs on modern operating systems, then I have a problem. I will make the application work, and/or try to find a way to not be dependent on unsupported software that will leave me up shit creek in future. Luckily VMs make it easy to run various operating systems as needed, even if modern hardware is poorly supported by them.

Re:Java's and Adobe's updates suck.

[Sam+Douglas]

I quite like the approach of just installing to your home directory by default, and offering to install for all users as a secondary option. It works well for single user systems and somewhat limits the damage that can be caused on a multi-user system.

In my opinion too much software is packaged to target some experience in between individual use and corporate use. I like that Google Chrome just installs somewhere and updating just happens without me really being involved or having to prod it along. Minecraft is another popular app that uses that model to good effect.

Really?

[93+Escort+Wagon]

because many users look to Microsoft to ensure that their computers are secure

Okay, that explains a lot.

A move I agree with!

[erroneus]

Finally something Microsoft is doing right. Fact is, "Windows" it vulnerable as hell not only because of their own crap, but the crap of others... and truth be told, it's probably more other crap that does more damage to Windows than anything else. Okay so there's a combination of stupid in effect... Microsoft can't seem to limit the applications and drivers to prevent them from doing bad things (as they should) and bad apps need backward compatibility... yeah... no... not really but Microsoft seems to think so.

Anyway, keep doing that and a little more and I won't hate Microsoft OSes so much.

Re:A move I agree with!

[jhoegl]

I would agree with you if they called out Adobe, Java, IRC programs, News viewers, file sharing, firewalls, routers, server software, websites, etc.

But instead they call out browsers. Browsers that have significant market share on them.
Not only that, but Old browsers with old bugs. I mean if we were to do that we should call out Windows 95/WindowsNT/2000/2003RC1/Vista bugs that they havent patched.
Not because they dont support them anymore, but because they are still not fixed in that release iteration.

Re:A move I agree with!

[Yunzil]

bad apps need backward compatibility... yeah... no... not really but Microsoft seems to think so.

Actually, you mean "yeah, and Microsoft is right."

Full-Time Jobs For All!

[tunapez]

Wow, this endeavor could very well add thousands, or 10's of thousands, of new jobs to the economy. Or, it's a PR campaign to push IE9, et al MS apps.
 
  Hmmm, which is more likely?

If you REALLY want to make Windows secure

[TClevenger]

Add Adobe Flash, Adobe Reader and Java to Windows Automatic Updates. That will resolve 90% of the issues.

Re:If you REALLY want to make Windows secure

[jones_supa]

This is actually a great idea. Windows also should have some kind of "third party repositories" in the update system.

Deal with it.

[Pseudonym+Authority]

XP is crap grandpa. Just update your fucking applications already and stop using a 236354 year old operating system because your poorly designed program from 1993 can't run without admin rights.

Seriously, are you really bitching that Windows finally has a security model? God damn you people are impossible to please.

Re:vista/7

[TaoPhoenix]

Just a little more time.
Let's get it in the open, Vista was a documented Hail Mary from when they lost two entire years of dev time and started over about 2004. 7 is just what Vista should have been if they had planned better.

So now that 7 got the "housekeeping" done, it's time to see what Windows 8 is, with its plans for App Stores vs. whatever evil media tracking tricks get baked into the OS.

Re:They need 4th and 5th Party HELP too!

[Bacon+Bits]

The registry is no worse and no more complex than /boot/, /dev/, /etc/, and parts of /lib/ combined. That's all the registry is, with a little /home/ thrown in for HKCU. If you honestly believe otherwise, you've honestly never dealt with either system for any extended period with any applications of consequence. It takes maybe one or two hours of serious study to understand how the registry is laid out and what each bit does for the system. It's not hard. People are just intimidated. They think that editing a live hierarchal database is somehow more scary than editing a live filesystem, without realizing it's essentially the same thing.

Windows itself has not had memory leaks since prior to Windows 2000, and making this argument dates your experiences towards obsolescence. Complaints about other software being shoddy should be directed at those particular vendors. Or should we start blaming kernel.org because we found a bug in a binary driver? FOSS political followers love that.

Rebooting servers to apply patches takes about 1 hour a month for the entire network for about 50 servers. Honestly, if your systems cannot handle the server being inaccessible for the time it takes a system to restart, you've built an amazing fault-intolerant system. It does not take significantly longer than it does to stop and start services on Linux servers, which needs to be done when that software is updated. The idea of never rebooting servers is outdated and unwise, as if you never reboot servers and suddenly you have to due to an emergency restart, hardware failure, or hardware update and discover a problem at boot, you will never know if your system isn't booting because of the hardware failure or because you updated the software this month. Or the month before that. Or the month before that. Or the month before that. Or changed the configuration six months ago. Or twelve months ago. Wait, did Bob do a change nine months ago? Or was that reverting a change from last year? You're suddenly stuck in a position of having no idea why your server is broken and only knowing that the last known good state was three years ago and you probably haven't even got the grandfather backup any longer. Good job. Have a nice weekend with that. Hope your resume is polished and ready.

I've said it before: If you are so poor at systems administration that you cannot adequately harden and secure Windows Server and keep it running smoothly, you do not deserve to be a systems administrator of any operating system. Turn in your badge and keyboard.

vulnerability lies with a third-party program?

[doperative]

"Microsoft has expanded its vulnerability disclosure policy to include not only those in its own products, but also flaws in third-party software that runs on Microsoft operating systems. These will follow the same practices as the advisories issued for Microsoft's products, and it makes sense, because many users look to Microsoft to ensure that their computers are secure, even when the problem lies with a third-party program. The company will contact and coordinate with the third-party vendor before an advisory is issued."

Look, for the umpteemed time, a programming error in an application that leads to a system compromise, is a defect in the underlying Operating System, namely Microsoft Windows/WinNT/Longhorn/Vista/Windows ...

Internet Malware ..

[doperative]

> Pay no attention to the the bugs behind the OS.

And what ever you do don't mention WIndows, talk about Internet malware instead ... :)

Dilution

[gorehog]

A large number of the security holes in Windows apps are caused by flaws in Windows libraries. Calling out others who have used your flawed library has the effect of diluting warnings about yourself. MS won't look so bad if they point their finger at others and say "see, theirs sucks too!"

Re:Linux (kernel only) compared 2 Win7 anyone?

[WorBlux]

Mary collect 354 coins, Paul collect 108. Whose coin collection is worth more?

It depends on the value of each coin.

Not a single highly or extremely critical advisory issued for the 2.6 kernel, and 42% of the advisories not critical at all. For Windows 7 42% of the advisories for were highly or extremely critical. 66% of the vulnerabilities of windows 7 are remotely exploitable, vs. 15% of 2.6.x

Beside that your comparing less than two years of history to over 7 as well. In addition the environment and incentives are different. In the FOSS world, shouting "Here's a bug and here's how I fixed it" gets you a lot of credibility. With M$ they want no publicity about bugs expect when it would irresponsible not to disclose them. (e.g. when they are actively being explioted). All the little bugs and fixes if any are held close to avoid publicity and hope that security through obscurity might hold up.

Bottom line, one of the best ways to test code for bugs is to throw random data (fuzzing) at it and see what happens. Or at least that's a much better way than to rely on than plain numbers generated by two very different operating philosophies and practices.

Cool!

[justforgetme]

Now spamers will have one more vector for scareware distribution!!!

Oh, I so love this world!!!!