Is Microsoft becoming a security slacker?

Nine years ago, Microsoft drew a line in the sand and told customers it would focus on making its code more secure and its software development process more transparent.

Called the Trustworthy Computing Initiative, the Jan. 2002 pledge to customers by co-founder Bill Gates was not an initiative born of Microsoft’s foresight, but of its desperation. In 2001, the Code Red and Nimda worms hammered the networks of the company’s customers, causing many to suspend orders for new software until they could be assured that security had a higher priority. In response, two months later, the software giant created the Strategic Technology Protection Program and followed up with the Trustworthy Computing Initiative. However, successive attacks by the fast-spreading SQL Slammer worm and the MSBlast worm in 2003 reinforced that Microsoft still had a long way to go to solve its security problems.

Since then, Microsoft’s costly focus has been an example to other companies of how major software vendors should emphasize security. Many firms have implemented software development methods similar to Microsoft’s Secure Development Lifecycle, and they follow Microsoft’s example of an open engagement with security researchers.

However, Microsoft’s reaction to the release of a fuzzing tool by a well-known security researcher suggests that the company may no longer support a plan of trusted security at any cost. On Saturday, Michal Zalewski, an information security engineer at Google, released a tool for finding vulnerabilities in browsers. The program, called “cross_fuzz,” attempts to find flaws in the way browsers handle certain types of document objects.

In Microsoft’s Internet Explorer, Zalewski found several flaws and warned the Microsoft Security Response Center in July. Nonetheless, the software giant failed to reproduce the issues until late December, when Zalewski warned he was preparing to publish the tool.

“I note that I am still seeing scary crashes with the fuzzer provided on July 29,” he wrote on Dec. 21, according to a timeline of events. “I provide stack traces from a fresh install of Windows with no plugins for one of the obviously exploitable vectors. I reiterate my plan to release the tool in January.”

The reaction does not compare favorably with the handling of the issues by the developers of WebKit, the engine behind Apple’s Safari browser, and the Mozilla Foundation. Both teams had fixes in place by September, according to Zalewski’s timeline.

This is not the first time Microsoft has been taken to task for its seemingly complacency regarding security issues. In July, researchers fed up with Microsoft’s delays in handling vulnerabilities announced they would release vulnerability reports immediately, rather than work with the software giant to mitigate the bugs. In response, Microsoft announced its coordinated vulnerability disclosure guidelines, but it remains to be seen what has changed.

Earlier this decade, it took four successive global outbreaks to put Microsoft on the right path to securing its software. While similar incidents are much rarer these days, the recent disclosure incidents suggest that security may not be the priority it once was.

This article, “Is Microsoft becoming a security slacker?,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.