Welcome to the second installment in our series on transparency at the Microsoft Security Response Center.
In this ongoing discussion, we discuss our commitment to provide comprehensive vulnerability information to our customers.
At MSRC, our mission is to protect our customers, communities, and Microsoft, from current and emerging threats to security and privacy.
In our previous blog post, we explored the root causes behind vulnerabilities documented with CWEs.
This post discusses documenting a new class of vulnerabilities: Cloud Service CVEs.
The Common Vulnerabilities and Exposures program is celebrating its 25th anniversary this year, and Microsoft has always been an active participant.
In the past, Cloud service providers refrained from disclosing information about vulnerabilities found and resolved in cloud services, unless customer action was required.
The common understanding was that if the customer didn't need to install updates then no additional information was necessary to help them stay secure.
We are now announcing that we will issue CVEs for critical cloud service vulnerabilities, regardless of whether customers need to install a patch or to take other actions to protect themselves.
As our industry matures and increasingly migrates to cloud-based services, we must be transparent about significant cybersecurity vulnerabilities that are found and fixed.
By openly sharing information about vulnerabilities that are discovered and resolved, we enable Microsoft and our partners to learn and improve.
These priorities include transforming software development, implementing new identity protections, and improving transparency and faster vulnerability response, as articulated by Charlie Bell, Executive Vice President, Microsoft Security.
The CVE program recently updated the rules that provide guidance to CVE Numbering Authorities like Microsoft.
This direction towards greater transparency is encouraged by these new rules.
We encourage all CNAs to assess how these new rules affect their products.
MSRC acknowledges that not all customers want to invest time and energy in addressing this new class of CVEs that don't require further action.
On the Security Update Guide Vulnerabilities tab, there will be a new column to show whether customer action is required.
In the CVE.org record, we will use the exclusively-hosted-service tag to indicate that there is no action required by the customer.
CVE-2024-35260 is an example of this new class of CVEs.
As always, we look forward to your feedback, which you can provide by clicking on the rating banner at the bottom of every CVE page in the Security Update Guide.
This Cyber News was published on msrc.microsoft.com. Publication date: Thu, 27 Jun 2024 17:43:06 +0000