Microsoft: We Dont Want to Zero-Day Our Customers

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft: We Dont Want to Zero-Day Our Customers


The head of Microsofts Security Response Center defends keeping its initial vulnerability disclosures sparse — it is, she says, to protect customers.



BLACK HAT USA — Las Vegas — A top Microsoft security executive today defended the companys vulnerability disclosure policies as providing enough information for security teams to make informed patching decisions without putting them at risk of attack from threat actors looking to quickly reverse-engineer patches for exploitation.
In a conversation with Dark Reading at Black Hat USA, the corporate vice president of Microsofts Security Response Center, Aanchal Gupta, said the company has consciously decided to limit the information it provides initially with its CVEs to protect users. While Microsoft CVEs provide information on the severity of the bug, and the likelihood of it being exploited (and whether it is being actively exploited), the company will be judicious about how it releases vulnerability exploit information.
For most vulnerabilities, Microsofts current approach is to give a 30-day window from patch disclosure before it fills in the CVE with more details about the vulnerability and its exploitability, Gupta says. The goal is to give security administrations enough time to apply the patch without jeopardizing them, she says. If, in our CVE, we provided all the details of how vulnerabilities can be exploited, we will be zero-daying our customers, Gupta says.
Microsoft — as other major software vendors — has faced criticism from security researchers for the relatively sparse information the company releases with its vulnerability disclosures. Since Nov. 2020, Microsoft has been using the Common Vulnerability Scoring System (CVSS) framework to
describe vulnerabilities in its security update guide
. The descriptions cover attributes such as attack vector, attack complexity, and the kind of privileges an attacker might have. The updates also provide a score to convey severity ranking.
However, some have described the updates as cryptic and lacking critical information on the components being exploited or how they might be exploited. They have noted that Microsofts current practice of putting vulnerabilities into an Exploitation More Likely or an Exploitation Less Likely bucket does not provide enough information to make risk-based prioritization decisions.
More recently, Microsoft has also faced some criticism for its alleged lack of transparency regarding cloud security vulnerabilities. In June, Tenables CEO Amit Yoran accused the company of
silently patching a couple of Azure vulnerabilities
that Tenables researchers had discovered and reported.
Both of these vulnerabilities were exploitable by anyone using the Azure Synapse service, Yoran wrote. After evaluating the situation, Microsoft decided to silently patch one of the problems, downplaying the risk, and without notifying customers.
Yoran pointed to other vendors — such as Orca Security and Wiz — that had encountered similar issues after they disclosed vulnerabilities in Azure to Microsoft.
Gupta says Microsofts decision about whether to issue a CVE for a vulnerability is consistent with the policies of MITREs CVE program.
As per their policy, if there is no customer action needed, we are not required to issue a CVE, she says. The goal is to keep the noise level down for organizations and not burden them with information they can do little with.
You need not know the 50 things Microsoft is doing to keep things secure on a day-to-day basis, she notes.
Gupta points to last years disclosure by Wiz of four critical vulnerabilities in the
Open Management Infrastructure (OMI) component in Azure
as an example of how Microsoft handles situations where a cloud vulnerability might affect customers. In that situation, Microsofts strategy was to directly contact organizations that are impacted.
What we do is send one-to-one notifications to customers because we dont want this info to get lost, she says We issue a CVE, but we also send a notice to customers because if it is in an environment that you are responsible for patching, we recommend you patch it quickly.
Sometimes an organization might wonder why they were not notified of an issue — thats likely because they are not impacted, Gupta says.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft: We Dont Want to Zero-Day Our Customers