14 DAY TRIAL // Microsoft has began publishing security advisories about vulnerabilities found by its own researchers in third party programs and used the occasion to reinforce its commitment to Coordinated Vulnerability Disclosure (CVD).
In July 2010, at about the same time when Google backed up the vulnerability disclosure practices of its security researchers and proposed a disclosure deadline of 60 days, Microsoft announced its own corporate policy regarding such actions.
Dubbed Coordinated Vulnerability Disclosure (CVD), the policy is a form of responsible disclosure, modified to put a focus on the coordination between researchers and affected vendors.
Microsoft began publishing the first advisories under CVD and took the occasion to detail its procedures under the new policy, which are mandatory for all of its employees.
Both of the newly released advisories concern bugs that have been patched for months in Google's Chrome browser and one that also affects Opera.
The first Microsoft Vulnerability Research (MSVR) advisory, MSVR11-001, concerns an use-after-free vulnerability in WebKit that was addressed in Chrome 6.0.472.59.
The flaw allowed attackers to generate a denial of service condition and execute arbitrary code inside Chrome's native sandbox. Since the sandbox is isolated from the operating system, there risk to the users was greatly diminished, which is what the feature was designed to do.
The second advisory, MSVR11-002, concerns an HTML5 implementation issue in Chrome and Opera that could lead to information disclosure. The issue stemmed from a cross-origin issue with canvas elements and was addressed at the beginning of December 2010 in Chrome 8.0.552.215 and in Opera 10.63.
"Collaboration between security researchers and vendors is ultimately about preventing attacks and protecting the computing ecosystem. By working together through coordinated efforts when vulnerabilities are identified, we can effectively minimize customer risk while a solution is developed," said Matt Thomlinson, general manager of trustworthy computing security at Microsoft.