Microsoft Announces Coordinated Vulnerability Disclosure Procedures And First Two Vulnerability Advisories
Yesterday, Microsoft announced that it will be actively demonstrating its commitment to Coordinated Vulnderability Disclosure (CVD) by publishing CVD documents and releasing Microsoft Vulnerability Research (MSVR) Advisories on vulnerabilities discovered by Microsoft but fixed by affected vendors. Microsoft hopes that these documents will provide more transparency and insight into their disclosure philosophy and about how they go through the process.
CVD documents clarify how Microsoft responds as a vendor impacted by the vulnerabilities in their own products and services. These documents also demonstrate how Microsoft acts as a finder of vulnerabilities in third-party products and services, and how they act as a coordinator of such vulnerabilities. Read more on CVDs here (word document).
MSVR advisories cover security vulnerabilities that Microsoft or other security researchers discovered in third-party products or services. Microsoft discloses the vulnerabilities to the affected vulnerabilities using procedures described in the Coordinated Vulnerbility Disclosure.
Additionally, yesterday, Microsoft released the first two MSVR advisories which cover issues discovered by Microsoft in third party products, MSVR11-001 and MSVR11-002. Vulnerability 001 covers a vulnerability affecting the Google Chrome browser in versions prior to 6.0.472.59. This vulnerability affects the Sandbox in Chrome and could actually allow an attacker to run arbitrary code inside of Chrome's Sandbox. If the attacker fully exploited this vulnerability your browser would become unresponsive and/or exit unexpectedly; the attacker could run arbitrary code. Vulnerability 002 affects Google Chrome versions 8.0.552.210 and earlier, and Opera versions 10.62 and earlier; 002 addresses an information disclosure vulnerability which exists in the implementation of HTML5 in these browsers. If an attacker successfully exploited this vulnerability they could obtain private information from you.
As always, you should keep your system and programs on automatic update to get the most up to-date bug-free versions. To learn more about each vulnerability visit the Microsoft Vulnerability Research Advisories page.