Tell them nothing – Microsoft reveals security strategy

Microsoft, in conjunction with five major security companies including Foundstone and @Stake, has announced a coalition against ‘full disclosure’ of security related information, such as exploit code for newly discovered software bugs and

Microsoft, in conjunction with five major security companies including Foundstone and @Stake, has announced a coalition against 'full disclosure' of security related information, such as exploit code for newly discovered software bugs and vulnerabilities.

According to Security Focus, one of the main aims of the new coalition is to keep initial public releases of vulnerability information vague – a minimum waiting period of 30 days would apply before more detailed examinations (such as how an exploit works, and what code is needed to take advantage of it) are released. The group maintains this 30 day period will give vendors much needed time to release security fixes, before the information is disseminated into the wider security community and malicious users take advantage of the 'blueprints for building [the] weapons'.

The (as yet unnamed) coalition plans to draw up a set of formal guidelines, to be released as RFCs (Request For Comments), that deal with the handling of new security holes. These RFCs would then be submitted to the Internet Engineering Task Force (IETF) to be considered for suitability as official standards.

Microsoft and friends may have trouble gaining the support of the IETF, as some people see this new coalition as a commercial venture aimed at limiting the bad publicity generated by new security holes. Even if the group managed to gain IETF support, many people in the security industry are likely to ignore the guidelines as a matter of principle.

The entire computer security industry has been built around a 'full disclosure of information' mentality. Security mailing lists such as Bugtraq allow network admin's and security specialists to share information about potential new exploits, and how to secure their systems against them. However, opponents of full disclosure maintain that these lists also allow malicious users to take advantage of the vulnerabilities before vendors have the chance to release the relevant patches.

Regardless of whether Microsoft and Co. manage to have their proposals designated official standards, it remains highly unlikely that the rest of the computer and information security industry will take the Microsoft line.