Microsoft Kicks Off Third-Party Bug Warnings

Pigskin-Referee writes "Microsoft has expanded its vulnerability disclosure policy to include not only those in its own products, but also flaws in third-party software that runs on Microsoft operating systems. These will follow the same practices as the advisories issued for Microsoft's products, and it makes sense, because many users look to Microsoft to ensure that their computers are secure, even when the problem lies with a third-party program. The company will contact and coordinate with the third-party vendor before an advisory is issued."

Re:Interesting "advisories"

[egamma]

Anyone else notice their advisories are against competitors? Yeah... I call BS

Are you calling BS because you do not think that other companies besides MS have vulnerabilities in their products?

Or are you calling BS because you believe that MS should keep quiet about vulnerabilities they find in products other than their own?

And yes...I am calling BS on your calling BS.

Java's and Adobe's updates suck.

Ah Java and Adobe!

Ya see, I run my XP box as user. The Admin account is used only for Admin. Now, in my user mode, the Java and Adobe update icons show up in the tray and when I click on them, after a while of them doing their thing, I get the "You have to have administrative privileges to perform this update." Can I do a "Run as" on those updates? Nope. Gotta log-off and log back on as the admin. "Switch User"? Turned it off for performance reasons.

Then in Admin mode, gotta re-download all of the updates again and then do the install.

So, what if your customers, or least the people using those machines, don't have admin access?

Oh, I don't have that problem with any of Microsoft's products, btw.

iTunes on Windows sucks too.

Listen Windows devs, not everyone runs their machines as Admins all the time! Geeze!

And no, you shouldn't have to be an admin to install a fucking document viewer.

Re:Java's and Adobe's updates suck.

[dragonturtle69]

My experience has been that those Win98/Win 2000/ Win XP applications that fail on Vista/7 fail due to bad or outdated design. Why are they using HKLM or %systemroot%? Allowing that design was part of what made XP and earlier weak.

A move I agree with!

[erroneus]

Finally something Microsoft is doing right. Fact is, "Windows" it vulnerable as hell not only because of their own crap, but the crap of others... and truth be told, it's probably more other crap that does more damage to Windows than anything else. Okay so there's a combination of stupid in effect... Microsoft can't seem to limit the applications and drivers to prevent them from doing bad things (as they should) and bad apps need backward compatibility... yeah... no... not really but Microsoft seems to think so.

Anyway, keep doing that and a little more and I won't hate Microsoft OSes so much.

Re:A move I agree with!

[jhoegl]

I would agree with you if they called out Adobe, Java, IRC programs, News viewers, file sharing, firewalls, routers, server software, websites, etc.

But instead they call out browsers. Browsers that have significant market share on them.
Not only that, but Old browsers with old bugs. I mean if we were to do that we should call out Windows 95/WindowsNT/2000/2003RC1/Vista bugs that they havent patched.
Not because they dont support them anymore, but because they are still not fixed in that release iteration.

If you REALLY want to make Windows secure

[TClevenger]

Add Adobe Flash, Adobe Reader and Java to Windows Automatic Updates. That will resolve 90% of the issues.

Re:Interesting "advisories"

[Bacon+Bits]

Maybe they're being proactive about the ones they get the most complaints about, hence the biggest ones.

Yes, that's why I mentioned Adobe Flash, Adobe Reader, and Java JRE and wondered why they're not mentioned. Do you pay any attention at all to how malware infections actually occur? I'm sure #1 is and always will be social engineering, but those three applications have to be in the top 5 based on the number of in-the-wild exploits.

Since all software has bugs, you can always find something, so if you go by complaint count, you're going to be sorting by user base, so all you're really doing is finding a roundabout way to list software companies by size. And you get to slag on them and call it a service to your customers. And it's probably 100% legal and righteous.

One would think that MS would be inclined to post security bulletins for the most severe and most widespread issues. As you say, there are bugs in all software, but informing users about those which are the most severe and the most likely to affect them makes then most sense. Nobody cares if Firefox 2.0 has a security vulnerability because nobody uses it and so nobody exploits it. Nobody is going to write an exploit today for a vulnerability which closed over six months ago on a piece of software which is several versions out of date on software which automatically updates itself. It's ludicrous to spend the time warn people about it, and since MS does have a potential conflict of interest by listing 3rd party software, it makes even less sense to only issue security warnings on software they are in direct competition with because that will only serve to call into question MS's impartiality.

Until the competitors start to pay Microsoft to stop doing it.

That will not happen. Read the article. MS is using CVD (aka responsible disclosure) while issuing these reports. Why would a vendor pay to get MS to stop issuing alerts based on cooperative vulnerability disclosures?