Patrick Gray (PG): So, what are the changes you've got in store?
George S (GS): When we started the advisory about a couple of years ago it was originally a pilot and what we are trying to do is we are trying to see how we can possibly give people faster information about things that affect them.
PG: So you mean an advisory as opposed to a security bulletin?
GS: The difference between a security bulletin and an advisory is that when we issue a bulletin we already have a patch, we give advice to the customers on how to install the patch and we are fixing the problem that actually affects them. The advisories were intended to provide rapid communication in a case where you have a vulnerability that is publicly exposed and you want to provide people as many mitigations and workarounds as you can. It is a little bit different because you have to do work and provide useful information to the customer about how to protect themselves.
PG: (Jokingly:) So why don't you do that?
GS: We are working on this. It was a pilot, we have worked on it for a while and now we are getting out of the pilot and we are putting a lot more muscle behind it trying to make it more flexible and provide more information with it. Hopefully in about a year we will have a different discussion.
PG: What are they going to look like in a year?
GS: There is going to be a lot of emphasis in trying to provide information as fast as we can once we are notified with something, even with something that we are still investigating. It takes a little bit of time to figure out how deep the problem is, but once we have some basic information we are also going to provide some workarounds and mitigations for our customers in order to protect them.
PG: When are we going to see a patch on the WPAD bug?
GS: I was going to do the dodgy answer of 'when it is ready,' but this point I know the guys back home are still investigating, trying to see the depth of the problem. Once they have something ready we will come up with it.
PG: That bug was disclosed at an IT security conference in front of 200 people before you were notified. The researcher says he e-mailed security[at]microsoft.com but never heard back. He assumed you didn't care and went public. Do you need to do more in terms of outreach to make sure this stuff doesn't happen again?
GS: You like drama! We have been working very hard over the last three years to actually reach the security community and establish a very strong relationship. We are huge proponents of responsible disclosure, we have worked very hard providing in our advisories credit to the people who find those bugs and also provide a medium for the finders out there to talk to us. The correct e-mail address is secure[at]microsoft.com Microsoft account, not security@, which is the physical security department.
PG: You don't think that is a bit confusing?
GS: Perhaps but it is something we have be using for the last ten to twelve years so it has been a fairly good medium to do this. Usually we do monitor the security (account) for issues like that, I don't know how this thing slipped through the cracks but at the same time we consider that we like to have an open dialogue with the security research community. You know about Black Hat, we are a company who likes to go out there and talk about security systems or defence mechanisms and the whole thing. We have Blue Hat where we bring people in to Redmond and we have an open dialogue with the security finders. But you know there is always more to do in outreach, right? In this case I wish we could have done more but there you go.
PG: C'est la Vie?
GS: C'est la Vie.
This interview is an edited transcript taken from the Risky Business security podcast on ITRadio.com.au. Transcript by Daniel Smallwood.