Microsoft denies aiding the government hacking programs
Posted by: TimW on 06/17/2013 03:10 PM [ Comments ]
As the Senate debates NSA's PRISM program, US news agency Bloomberg report that Microsoft has been providing US Secret services with information on security vulnerabilities in its products prior to releasing patches.
Bloomberg's Michael Riley suggests that this info was not solely intended to help protect the governments computers. He suggests that these vulnerabilities can be used to access computers being used by terrorists or hostile military. Microsoft denies such allegations according to an email statement released to a number of media outlets. "Microsoft has several programs through which we disclose information regarding vulnerabilities, some of which have government participants." It adds that disclosure takes place a short time prior to its monthly patch day.
Government agencies have better channels for obtaining security vulnerabilities. Various independent security companies sell undisclosed vulnerabilities ( O-day exploits ) to the highest bidder. Government agencies are regular and popular customers, being able to afford much higher prices than the criminal fraternity. Security vulnerabilities traded on the black market rarely find their way to the software company responsible for the vulnerable product, and exploits consequently offer long windows of exploitation.
The full text of Microsoft's statement is as follows:
"Microsoft has several programs through which we disclose information regarding vulnerabilities, some of which have government participants. Prior to any fix being released to the ~1B computers that receive automatic security updates each month, Microsoft communicates with program participants after our engineering cycle is completed to ensure delivery of the most current information. While timing varies slightly each month, disclosure takes place just prior to our security update for billions of customers.
One example is our Microsoft Active Protections Program (MAPP), which supplies Microsoft vulnerability information to security software partners prior to Microsoft's monthly security update release so partners can build enhanced customer protections. Another example of information sharing is the Security Cooperation Program (SCP) for Governments. Membership provides key technical information on security vulnerabilities prior to the security update being publically available. This allows members more time to prioritize creating and disseminating authoritative guidance for increasing network protections."
Government agencies have better channels for obtaining security vulnerabilities. Various independent security companies sell undisclosed vulnerabilities ( O-day exploits ) to the highest bidder. Government agencies are regular and popular customers, being able to afford much higher prices than the criminal fraternity. Security vulnerabilities traded on the black market rarely find their way to the software company responsible for the vulnerable product, and exploits consequently offer long windows of exploitation.
The full text of Microsoft's statement is as follows:
"Microsoft has several programs through which we disclose information regarding vulnerabilities, some of which have government participants. Prior to any fix being released to the ~1B computers that receive automatic security updates each month, Microsoft communicates with program participants after our engineering cycle is completed to ensure delivery of the most current information. While timing varies slightly each month, disclosure takes place just prior to our security update for billions of customers.
One example is our Microsoft Active Protections Program (MAPP), which supplies Microsoft vulnerability information to security software partners prior to Microsoft's monthly security update release so partners can build enhanced customer protections. Another example of information sharing is the Security Cooperation Program (SCP) for Governments. Membership provides key technical information on security vulnerabilities prior to the security update being publically available. This allows members more time to prioritize creating and disseminating authoritative guidance for increasing network protections."
Comments