Microsoft quietly finding, reporting security holes in Apple, Google products

Summary:Since July 2010, Microsoft's vulnerability research team has identified and responsibly disclosed 109 different software vulnerabilities affecting a total of 38 vendors.

Researchers at Microsoft have been quietly finding -- and helping to fix -- security defects in products made by third-party vendors, including Apple and Google.

This month alone, the MSVR (Microsoft Security Vulnerability Research) team released advisories to document vulnerabilities in WordPress and Apple's Safari browser and in July, software flaws were found and fixed in Google Picasa and Facebook.

The MSVR program, launched two three years ago, gives Microsoft researchers freedom to audit the code of third-party software and work in a collaborative way with the affected vendor to get those issues fixed before they are publicly compromised.

[ SEE: Microsoft says Google Chrome Frame doubles IE attack surface ]

follow Ryan Naraine on twitter
The team's work gained prominence in 2009 when a dangerous security hole in Google Chrome Frame was found and fixed but it's not very well known that the team has spent the last year disclosing hundreds of security defects in third-party software.

Since July 2010, Microsoft said the MSVR team identified and responsibly disclosed 109 different software vulnerabilities affecting a total of 38 vendors.

More than 93 percent of the third-party vulnerabilities found through MSVR since July 2010 were rated as Critical or Important, the company explained.

"Vendors have responded and have coordinated on 97 percent of all reported vulnerabilities; 29 percent of third-party vulnerabilities found since July 2010 have already been resolved, and none of the vulnerabilities without updates have been observed in any attacks," Microsoft said.

This week's discoveries:

  • A vulnerability exists in the way Safari handles certain content types. An attacker could exploit this vulnerability to cause Safari to execute script content and disclose potentially sensitive information. An attacker who successfully exploited this vulnerability would gain sensitive information that could be used in further attacks.
  • A vulnerability exists in the way that WordPress previously implemented protection against cross site scripting and content-type validation. An attacker could exploit this vulnerability to achieve script execution.

Topics: Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.