Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Do Microsoft's vulnerability tip-offs give the U.S. a cyber sword or a cyber shield?

Ian Paul | June 18, 2013
Microsoft's early vulnerability disclosures to the U.S. may give the government both a shield and a sword.

Microsoft is not the only major technology firm reportedly helping the American intelligence community. Intel's McAfee provides security threat data to the government, and Bloomberg reports that major cell phone carriers such as AT&T and Verizon allow the government to actively seek out security flaws on their networks.

Windows, windows everywhere

But more so than other firms named in the report, Microsoft's early tip offs have direct implications for everyday users, most of whom have Microsoft software running on their PCs at home.

Micah Lee, Staff Technologist with the Electronic Frontier Foundation, offers a more concerning issue echoing the recent reports about the U.S. National Security Agency collecting data on American citizens.

NSA headquarters
NSA Headquarters

"If Microsoft is giving information about vulnerabilities in software that hundreds of millions of people use to intelligence agencies there is a huge potential for abuse," Lee told PCWorld. "Bloomberg's report says that this information could be used to access the computers of terrorists or military foes, but in reality it could be used to access the computers of anyone running vulnerable Microsoft software."

Coordinated disclosure
Security fixes for critical vulnerabilities can already take a long time. So-called white hat security researchers who discover previously unknown security issues, known as zero-day flaws, typically report them to the affected company. Researchers then give the company time to fix the flaw before going public with their discovery.

This process sometimes take weeks or months, leaving users unwittingly exposed to malware designed to take advantage of the exploit.

Making matters worse, some developers have be accused of dragging their feet to fix critical problems. Delays in fixing security flaws are what prompted Google's recent call for a seven-day waiting period before publicizing critical security issues being actively used by malicious actors.

"Seven days is an aggressive timeline and may be too short for some vendors to update their products," Google said in a recent blog post. "But it should be enough time to publish advice about possible mitigations."

Lee thinks Google's move is a good one.

"If it weren't for deadlines like this, it's possible that companies might avoid fixing security problems for months or years," he said. Lee also pointed out that companies aren't legally obliged to disclose security vulnerabilities within a given timeframe.

Microsoft doesn't publish a timeline for how long it should take to produce a fix for reported vulnerabilities, but does say that it will develop a fix as quickly as possible.

"We ask the security research community to give us an opportunity to correct the vulnerability before publicly disclosing it," Microsoft says on its coordinated vulnerability disclosure page that explains how the company deals with security flaws discovered by third parties. "As we ourselves do when we discover vulnerabilities in other vendors' products."

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.