Microsoft’s new vulnerability disclosure policy kicks off with two Chrome flaws

By Tom Warren, on 20th Apr 11 10:45 am with 5 Comments

Microsoft kicked off a new program on Tuesday, responsible for the discovery, reporting, and coordination of vulnerabilities in third-party products and services.

The Microsoft Vulnerability Research (MSVR) program launched on Tuesday with two Google Chrome vulnerabilities. Microsoft has a mixed history with Google over responsible vulnerability disclosure. Microsoft issued a Security Advisory in June last year, warning of an unpatched vulnerability in the Windows Help and Support Center function in Windows XP. Google’s senior security researcher, Tavis Ormandy, notified Microsoft about the flaw at the beginning of June. Days later Ormandy published proof of concept code, saying “without a working exploit, I would have been ignored.” The working exploit saw attacks increase rapidly and Microsoft claimed the Google workers move put customers at risk.

Microsoft’s new MSVR program chose to highlight two Google Chrome vulnerabilities to kick start the program. Microsoft has made it clear that the company has spoken to Google officials before disclosing the flaws publicly. Network World reports that Google has already fixed the bugs that Microsoft is disclosing. A Google spokesperson told Network World that ”these issues are actually quite old” and were covered in Google announcements in September and December.

The first flaw (MSVR11-001) could allow sandboxed remote code execution inside Google Chrome according to Microsoft. ”A sandboxed remote code execution vulnerability exists in the way that Google Chrome attempts to reference memory that has been freed,” Microsoft said. “An attacker could exploit the vulnerability to cause the browser to become unresponsive and/or exit unexpectedly, allowing an attacker to run arbitrary code within the Google Chrome Sandbox. The Google Chrome Sandbox is read and write isolated from the local file system which limits an attacker.”

The second flaw (MSVR11-002) affects Google Chrome browser versions 8.0.552.210 and earlier, and Opera browser versions 10.62 and earlier. ”HTML5 implementation in Chrome and Opera could allow information disclosure,” says Microsoft. ”An information disclosure vulnerability exists in the implementation of HTML5 in these Web browsers [Chrome and Opera],” Microsoft says. “Specifically, as the World Wide Web Consortium (W3C) describes in the HTML5 specification for security with canvas elements, information leakage can occur if scripts from one origin can access information from another origin.”

Despite the old vulnerabilities, it appears Microsoft will be using this new platform to unveil its own security efforts for non-Microsoft software. Google and Opera are the first targets for Microsoft’s disclosure program but given Adobe’s troublesome time with Flash vulnerabilities, it’s only a matter of time before it makes an appearance.

  • McAkins Online

    Way to go MS, you’ve been taking a lot of slack for third-party issues, now its time to set the records straight.

  • Spelling Bee

    Taking a lot of flak?

  • GP007

    Heh, old or not this also plays into MS’s hand as far as knocking Chromes security standing down a bit. You just don’t hear about problems with Chrome, at least I don’t, since it seems they get fixed on the hush hush, why not bring them to light?

  • spragued

    Countdown until someone in Google PR calls this an “anti-competitive” move… 3… 2… 1

  • Mark

    Um, the MS vulnerability that Google blamed for their network being compromised by the Chinese was YEARS old and several product versions out of date.

    Google is really turning into a hypocritical jerk.