SecurityGarden

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Thursday, July 22, 2010

Coordinated Vulnerability Disclosure (CVD)

Posted on 2:40 PM by Unknown
Today Microsoft announced a shift in philosophy on their approach to the topic of vulnerability disclosure. Rather than referring to "Responsible Disclosure" the new framework is "Coordinated Vulnerability Disclosure" or CVD.

The MSRC Blog describes CVD as follows:

"Newly discovered vulnerabilities in hardware, software, and services are disclosed directly to the vendors of the affected product, to a CERT-CC or other coordinator who will report to the vendor privately, or to a private service that will likewise report to the vendor privately. The finder allows the vendor an opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before detailed vulnerability or exploit information is shared publicly. If attacks are underway in the wild, earlier public vulnerability details disclosure can occur with both the finder and vendor working together as closely as possible to provide consistent messaging and guidance to customers to protect themselves.

Responsibility is still imperative, but it is a shared responsibility across the community of security researchers, security product providers and other software vendors. Each member of this community of defenders plays a role in improving the overall security of the computing ecosystem."

Opinion:
In my opinion, it is irresponsible for any researcher to publicly disclose the details of a vulnerability, particularly one that is not in the wild. Regardless of whether the process is called "Responsible Disclosure" or "Coordinated Vulnerability Disclosure" or whether "in the wild" or not, those who expect immediate response when a vulnerability is reported need to keep some things in mind.

The most important aspect of making a software change is to make one change at a time and "test, test, and test again" after each change. Even after stringent tests are conducted, to ensure the change does not "break" something else, it is necessary to translate the changes to the many supported languages -- and test yet again. I would much rather wait the extra time for the testing to be properly conducted than get buggy updates!
Edit Note:
This, from Protection for New Malware Families Using .LNK Vulnerability, is precisely why it is my opinion that it is irresponsible by researchers to release proof-of-concept details to the public.

"What we’re seeing with the use of this new vulnerability by two other malware families is typical when an exploitable vulnerability is made public: initially, details emerge about a proof-of-concept malware or a targeted attack, then someone releases a public exploit, then the exploit gets incorporated into malware crime kits, and then we begin seeing different families using it."
For more detailed information regarding the tenants of CVD, please see Katie Moussouris' Ecostrat blog post, Coordinated Vulnerability Disclosure: Bringing Balance to the Force.


References:
  • MSRC Blog: Announcing Coordinated Vulnerability Disclosure
  • MSRC Ecosystem Strategy Team: Coordinated Vulnerability Disclosure: Bringing Balance to the Force
  • The Register: Microsoft to banish 'responsible' from disclosure debate
  • (Added) MMPC: Protection for New Malware Families Using .LNK Vulnerability

Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Updates, Vulnerabilities, Information,




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...
Email ThisBlogThis!Share to XShare to Facebook
Posted in Microsoft, Security, Updates, Vulnerabilities, Windows, Windows 7 | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • How to use Hotmail Aliases
    Whether shopping online, joining an on-line tech forum, registering your account for on-line bill payment or some other service, a valid e-m...
  • Critical Out-of-Band Update Released for MS10-046
    Microsoft released Security Bulletin MS10-046 out-of-band to address a vulnerability in Windows. The security update is identified as crit...
  • Adobe Flash Player Critical Security Updates
    Adobe Flash Player was updated to address critical security vulnerabilities.  These updates address a vulnerability that could cause the ap...
  • Hotmail Security to Protect and Recover Your Account
    Time and time again I see reports from Hotmail users who have lost control of their e-mail account.  As explained by Walter Harp, Director o...
  • Microsoft Security Advisory 2269637 Released
    Microsoft released Security Advisory 2269637 which relates to a remote attack vector to a class of vulnerabilities affecting applications t...
  • Adobe Reader Security Updates
    Adobe has released security updates for Adobe Reader and Acrobat XI (11.0.03) and earlier versions for Windows and Macintosh. Adobe identif...
  • Adobe Flash Player and Adobe Air Security Updates
    Adobe released updates to both Adobe Flash Player and Adobe AIR to correct a critical vulnerability in both products. From the Adobe Securi...
  • Security Bulletin Advance Notice for August, 2013
    On Tuesday, August 13, 2013, Microsoft is planning to release eight (8) bulletins.  Three of the bulletins are identified as Critical with f...
  • Waledac Botnet Takedown
    The Waledac botnet had the capability of sending 1.5 billion spam e-mails per day. During a three-week period in December, 2009, approximat...
  • Adobe Flash Player Security Update (again!)
    Only a week has passed since the last Adobe Flash Player security update and another has been released. Adobe Flash Player was updated to ad...

Categories

  • Adobe
  • Advisory
  • Amero
  • AntiVirus
  • Apple
  • Ask
  • AVG
  • Bing
  • Browser
  • Child Safety
  • email
  • ESET
  • Ethics
  • Facebook
  • Firefox
  • Firewall
  • FixIt
  • Fraud
  • General
  • Google
  • Hotmail
  • IE10
  • IE6
  • IE7
  • IE8
  • IE9
  • Java
  • Lavasoft
  • malware
  • Microsoft
  • Microsoft Apps
  • Mozilla
  • MVP
  • NCSAM
  • Office
  • Office 2007
  • Office 2010
  • Opera
  • Outlook.com
  • Phishing
  • Privacy
  • safety
  • Search
  • Security
  • Service Pack
  • SkyDrive
  • Skype
  • Software
  • SP1
  • sp2
  • SP3
  • Spotlight
  • Sumatra
  • tutorial
  • UAC
  • Updates
  • Vulnerabilities
  • Windows
  • Windows 7
  • Windows 8
  • Windows Live
  • Windows Live OneCare
  • Windows Vista
  • Windows XP
  • WinPatrol

Blog Archive

  • ►  2013 (93)
    • ►  October (2)
    • ►  September (8)
    • ►  August (9)
    • ►  July (5)
    • ►  June (8)
    • ►  May (7)
    • ►  April (15)
    • ►  March (9)
    • ►  February (16)
    • ►  January (14)
  • ►  2012 (98)
    • ►  December (7)
    • ►  November (6)
    • ►  October (11)
    • ►  September (5)
    • ►  August (10)
    • ►  July (8)
    • ►  June (12)
    • ►  May (7)
    • ►  April (12)
    • ►  March (6)
    • ►  February (6)
    • ►  January (8)
  • ►  2011 (130)
    • ►  December (8)
    • ►  November (10)
    • ►  October (7)
    • ►  September (12)
    • ►  August (9)
    • ►  July (6)
    • ►  June (13)
    • ►  May (14)
    • ►  April (13)
    • ►  March (15)
    • ►  February (10)
    • ►  January (13)
  • ▼  2010 (146)
    • ►  December (10)
    • ►  November (15)
    • ►  October (19)
    • ►  September (15)
    • ►  August (14)
    • ▼  July (8)
      • Out of Band Release Re: Microsoft Security Advisor...
      • Tragic News for Amero Family
      • Coordinated Vulnerability Disclosure (CVD)
      • Fix it Released for Security Advisory 2286198
      • Mozilla Firefox 3.6.7 Security Update
      • Microsoft Security Advisory (2286198)
      • July 2010 Security Bulletin Release
      • July 2010 Bulletin Release Advance Notification
    • ►  June (19)
    • ►  May (5)
    • ►  April (11)
    • ►  March (6)
    • ►  February (14)
    • ►  January (10)
  • ►  2009 (33)
    • ►  December (11)
    • ►  November (11)
    • ►  October (11)
Powered by Blogger.

About Me

Unknown
View my complete profile