April 17, 2014

Microsoft clarifies position on passing vulnerability information to US government

microsoft logo(LiveHacking.Com) – The repercussions of Edward Snowden revelations about the National Security Agency’s Prism surveillance system are still occurring and attention has now turned to the role that security vulnerabilities play in the surveillance done by the NSA.

A few days ago US news agency Bloomberg claimed that Microsoft provides the US government with information on security vulnerabilities in Windows and other of its products before it tells it customers. Bloomberg’s Michael Riley wrote, “Microsoft provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix. That information can be used to access the computers of terrorists or military foes.”

To clarify the situation Microsoft has released a statement in which it confirms the existence of several security related programs including the Microsoft Active Protections Program (MAPP) and the Security Cooperation Program (SCP) for Governments. These programs aren’t secret and the confirmation of their existence isn’t a new revelation. According to the statement, “Microsoft communicates with program participants after our engineering cycle is completed to ensure delivery of the most current information. While timing varies slightly each month, disclosure takes place just prior to our security update for billions of customers.”

What this means is that Microsoft reveals details of the vulnerabilities to its partners, including the US government, just a few days before the public patches are available. The real question is not the timing but the level of detail that Microsoft gives it partners. Many of the vulnerabilities fixed by Microsoft are either privately reported or found by Microsoft. This means that details on how to exploit the vulnerabilities are rarely revealed to the public.

It would seem that members of the Microsoft programs get full access to details on the vulnerabilities as, “Membership provides key technical information on security vulnerabilities prior to the security update being publically available”