Researchers at Microsoft have been quietly finding — and helping to fix — security defects in products made by third-party vendors, including Apple and Google.
This month alone, the MSVR (Microsoft Security Vulnerability Research) team released advisories to document vulnerabilities in WordPress and Apple’s Safari browser and in July, software flaws were found and fixed in Google Picasa and Facebook.
The MSVR program, launched two three years ago, gives Microsoft researchers freedom to audit the code of third-party software and work in a collaborative way with the affected vendor to get those issues fixed before they are publicly compromised.
[ SEE: Microsoft says Google Chrome Frame doubles IE attack surface ]
The team’s work gained prominence in 2009 when a dangerous security hole in Google Chrome Frame was found and fixed but it’s not very well known that the team has spent the last year disclosing hundreds of security defects in third-party software.
Since July 2010, Microsoft said the MSVR team identified and responsibly disclosed 109 different software vulnerabilities affecting a total of 38 vendors.
More than 93 percent of the third-party vulnerabilities found through MSVR since July 2010 were rated as Critical or Important, the company explained.
“Vendors have responded and have coordinated on 97 percent of all reported vulnerabilities; 29 percent of third-party vulnerabilities found since July 2010 have already been resolved, and none of the vulnerabilities without updates have been observed in any attacks,” Microsoft said.
This week’s discoveries:
- A vulnerability exists in the way Safari handles certain content types. An attacker could exploit this vulnerability to cause Safari to execute script content and disclose potentially sensitive information. An attacker who successfully exploited this vulnerability would gain sensitive information that could be used in further attacks.
- A vulnerability exists in the way that WordPress previously implemented protection against cross site scripting and content-type validation. An attacker could exploit this vulnerability to achieve script execution.
