Microsoft started a new coordinated vulnerability disclosure.
MSRC Blog Post: http://blogs.technet.com/b/msrc/archive/2011/04/19/coordinated-vulnerability-disclosure-from-philosophy-to-practice.aspx CVD at Microsoft Paper: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=2f25ef80-88b1-461e-95e0-3e3ec7f2fe8e MSVR Advisories landing page: http://www.microsoft.com/technet/security/advisory/msvrdefault.mspx MSRC CVD page: http://www.microsoft.com/security/msrc/report/disclosure.aspx
Which I'm guessing Mr. Ormandy's (Google security guy, has released Microsoft zero days) latest tweets are in response to:
Twitter / @Tavis Ormandy: "Security" is not simply i ...:
"Security" is not simply ignorance of vulnerabilities. If having more information makes you less secure, then you're doing it wrong.
My take: It depends on who’s got the information and what they do with it. If that information about the vulnerability is in the hands of people that can now code up browsers exploits and there’s no mitigation that my Mom and Dad can do on their PCS, then more information in the wrong hands does not make us more secure. It’s what I’m still concerned about in regards to cloud computing. Right now we’re a distributed target. Lots of small businesses and small firms scattered all over the place. Move to a business model where we’re all with our data in the cloud and what happens when the bad guys decide that Office 365 makes a really good target to go after. Yeah, not good.
Twitter / @Tavis Ormandy: Wake me up when Microsoft …:
Wake me up when Microsoft has an official policy about not threatening or bullying security researchers
Wake me when security researchers care as much about the users of computers as much as they say they do. For every time you release a zero day, how about you release with it mitigation guidance that’s actionable and realistic from Enterprises all the way down to my Mom and Dad’s computer. Don’t just get mad at the vendor, think all the way down to people just using computers. Make sure they have the RIGHT information for them. Merely putting out information isn’t enough. Putting out the RIGHT actionable information for each type of computer user is needed along with ensuring there is actionable mitigation that doesn’t just think of Enterprise users and no one else.
And if you think you are helping computer users by pushing vendors to making their software more secure, how about you also push to help people get updates installed while you are at it. If you have some free time, hop on Windows answers forum and help out. http://answers.microsoft.com/en-us/windows/forum/windows_update?page=1&tab=no