BLACK HAT USA — Las Vegas — A top Microsoft security executive today defended the company's vulnerability disclosure policies as providing enough information for security teams to make informed patching decisions without putting them at risk of attack from threat actors looking to quickly reverse-engineer patches for exploitation.
In a conversation with Dark Reading at Black Hat USA, the corporate vice president of Microsoft's Security Response Center, Aanchal Gupta, said the company has consciously decided to limit the information it provides initially with its CVEs to protect users. While Microsoft CVEs provide information on the severity of the bug, and the likelihood of it being exploited (and whether it is being actively exploited), the company will be judicious about how it releases vulnerability exploit information.
For most vulnerabilities, Microsoft's current approach is to give a 30-day window from patch disclosure before it fills in the CVE with more details about the vulnerability and its exploitability, Gupta says. The goal is to give security administrations enough time to apply the patch without jeopardizing them, she says. "If, in our CVE, we provided all the details of how vulnerabilities can be exploited, we will be zero-daying our customers," Gupta says.
Sparse Vulnerability Information?
Microsoft — as other major software vendors — has faced criticism from security researchers for the relatively sparse information the company releases with its vulnerability disclosures. Since Nov. 2020, Microsoft has been using the Common Vulnerability Scoring System (CVSS) framework to describe vulnerabilities in its security update guide. The descriptions cover attributes such as attack vector, attack complexity, and the kind of privileges an attacker might have. The updates also provide a score to convey severity ranking.
However, some have described the updates as cryptic and lacking critical information on the components being exploited or how they might be exploited. They have noted that Microsoft's current practice of putting vulnerabilities into an "Exploitation More Likely" or an "Exploitation Less Likely" bucket does not provide enough information to make risk-based prioritization decisions.
More recently, Microsoft has also faced some criticism for its alleged lack of transparency regarding cloud security vulnerabilities. In June, Tenable's CEO Amit Yoran accused the company of "silently" patching a couple of Azure vulnerabilities that Tenable's researchers had discovered and reported.
"Both of these vulnerabilities were exploitable by anyone using the Azure Synapse service," Yoran wrote. "After evaluating the situation, Microsoft decided to silently patch one of the problems, downplaying the risk," and without notifying customers.
Yoran pointed to other vendors — such as Orca Security and Wiz — that had encountered similar issues after they disclosed vulnerabilities in Azure to Microsoft.