We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

MS Announces Coordinated Vulnerability Disclosure Procedures

Microsoft releases the first two Vulnerability Research Advisories for third-party products and services

Yesterday, Microsoft announced that it will be actively demonstrating its commitment to Coordinated Vulnerability Disclosure (CVD) by publishing CVD documents and releasing Microsoft Vulnerability Research (MSVR) Advisories on vulnerabilities discovered by Microsoft but fixed by affected vendors. Microsoft hopes that these documents will provide more transparency and insight into their disclosure philosophy and about how they go through the process.

CVD documents clarify how Microsoft responds as a vendor impacted by the vulnerabilities in their own products and services. These documents also demonstrate how Microsoft acts as a finder of vulnerabilities in third-party products and services, and how they act as a coordinator of such vulnerabilities. Read more on CVDs here (word document).

MSVR advisories cover security vulnerabilities that Microsoft or other security researchers discovered in third-party products or services. Microsoft discloses the vulnerabilities to the affected vulnerabilities using procedures described in the Coordinated Vulnerability Disclosure.

Additionally, yesterday, Microsoft released the first two MSVR advisories which cover issues discovered by Microsoft in third party products, MSVR11-001 and MSVR11-002. Vulnerability 001 covers a vulnerability affecting the Google Chrome browser in versions prior to 6.0.472.59. This vulnerability affects the Sandbox in Chrome and could actually allow an attacker to run arbitrary code inside of Chrome's Sandbox. If the attacker fully exploited this vulnerability your browser would become unresponsive and/or exit unexpectedly; the attacker could run arbitrary code. Vulnerability 002 affects Google Chrome versions 8.0.552.210 and earlier, and Opera versions 10.62 and earlier; 002 addresses an information disclosure vulnerability which exists in the implementation of HTML5 in these browsers. If an attacker successfully exploited this vulnerability they could obtain private information from you.

As always, you should keep your system and programs on automatic update to get the most up to-date bug-free versions. To learn more about each vulnerability visit the Microsoft Vulnerability Research Advisories page.

[Via Microsoft (email and web) / Image via Wikipedia]

Follow James Mulroy on Twitter to get the latest in microbe, dinosaur, and death ray news.

IDG UK Sites

Windows 10 for phones UK release date, price and new features: When will my phone get Windows 10?

IDG UK Sites

It's World Backup Day 2015! Don't wait another minute: back up now

IDG UK Sites

How Lightroom works: Where are my photos and how do I back up?

IDG UK Sites

New 13-inch Retina MacBook Pro (early 2015, 2.7GHz) review: Just about the greatest upgrade any...