Microsoft joins new group created to head off next Heartbleed crisis

The discovery of the Heartbleed zero-day bug in OpenSSL earlier this month has caused concern about the overall security of the Internet. Today, the Linux Foundation announced the formation of a new group that has pledged to help prevent issues such as Heartbleed from happening again.

Microsoft, Google, Intel, Amazon, Facebook, Dell, IBM and others have joined the group, called the Core Infrastructure Initiative, whose primary goal is to get its members to help fund open source projects that need assistance. The first such effort from the group to be funded will be to assist OpenSSL. The Core Infrastructure Initiative's members will try to put money in projects to help improve its security, along with improvements in releasing patches faster and to get outside reviews of OpenSSL.

In his own statement about his company's involvement with the group, Steve Lipner, the partner director of software security at Microsoft, said:

Security is an industry-wide concern requiring industry-wide collaboration. The Core Infrastructure Initiative aligns with our participation in open source and the advancement of secure development across all platforms, devices and services.

In addition to the official members of the group, anyone else can donate money that will be used by the Linux Foundation and/or the Core Infrastructure Initiative's projects.

Source: Linux Foundation | Heartbleed image via Shutterstock

Report a problem with article
Previous Story

TechSpot: OCZ RevoDrive 350 PCIe SSD 480GB Review

Next Story

Microsoft: Windows Embedded 8.1 Handheld RTM completed, SDK available

14 Comments

Commenting is disabled on this article.

So, OpenSSL lives up to its name, being open, and that is a good thing?
And companies take interest in fixing the problem and that's a bad thing?

Screw occupy wall street... where's the occupy silicon valley movement?

OpenSSL has untill now been extremely underfunded resulting in them not having the time, money or resources to either audit or refactor the code as they should.

HawkMan said,
OpenSSL has untill now been extremely underfunded resulting in them not having the time, money or resources to either audit or refactor the code as they should.

But I thought open-source software was more secure by virtue of being open. And that closed code produced by evil money-grabbing corporations was inherently less secure.

Ironic how for-profit organizations are the ones stepping up to fix the mess. Where is the so-called "community"?

Forjo said,

But I thought open-source software was more secure by virtue of being open. And that closed code produced by evil money-grabbing corporations was inherently less secure.

Ironic how for-profit organizations are the ones stepping up to fix the mess. Where is the so-called "community"?

Have you ever tried to submit a patch to the OpenSSL project? They are apparently not very receptive to external contributions.

I don't see the irony though, considering that lots of corporations produce (and/or take advantage of) open source code.
Open source is about the license, not the development model, and it's not necessarily community driven.

Forjo said,
But I thought open-source software was more secure by virtue of being open. And that closed code produced by evil money-grabbing corporations was inherently less secure.

The difference is companies like Microsoft would have never told you there was a security flaw in the first place but would have "silently" patched hoping it wouldn't come to the public.

And before you say "No they wouldn't", they already have - look at the history of Windows patches and how many of them have been remotely exploitable giving system level access to the machine in question, many of which have been exploitable through the basic windows firewall and Microsoft didn't tell anyone about them until months after they were discovered.

It took dedicated open source people a few hours to patch this flaw and distribute it to countless servers around the globe.

Whilst you're screaming about open source, people are still using Windows XP.

CuddleVendor said,
The difference is companies like Microsoft would have never told you there was a security flaw in the first place but would have "silently" patched hoping it wouldn't come to the public.

Must have missed where Microsoft publishes security bulletins when vulnerabilities are discovered. Not exactly "silent" about them.
https://technet.microsoft.com/security/bulletin/

CuddleVendor said,
And before you say "No they wouldn't", they already have - look at the history of Windows patches and how many of them have been remotely exploitable giving system level access to the machine in question, many of which have been exploitable through the basic windows firewall and Microsoft didn't tell anyone about them until months after they were discovered.

See above. And also look up Linux's security track record while you're at it. Far from stellar.

CuddleVendor said,
It took dedicated open source people a few hours to patch this flaw and distribute it to countless servers around the globe.

After being vulnerable for how long again?

CuddleVendor said,
Whilst you're screaming about open source, people are still using Windows XP.

And this is Microsoft's fault how exactly? They've only released several newer versions of the OS since then. People don't upgrade then it's on them.

Max Norris said,

Must have missed where Microsoft publishes security bulletins when vulnerabilities are discovered. Not exactly "silent" about them.
https://technet.microsoft.com/security/bulletin/


See above. And also look up Linux's security track record while you're at it. Far from stellar.


After being vulnerable for how long again?


And this is Microsoft's fault how exactly? They've only released several newer versions of the OS since then. People don't upgrade then it's on them.


The difference between linux and windows security in terms of exploits is MS has deals with many IPS/IDS system providers to detect and help prevent exploits of their software, and the protection code/lookup is given in binary only form, therefore you actually have no idea what the exploit does or how it works if someone was to use it.
Linux's exploits on the other hand get revealed to all.
What it comes down to is everyone knowing about linux vulnerabilities VS only top hackers/NSA-like government agencies knowing MS vulnerabilities. But whatever.

n_K said,
What it comes down to is everyone knowing about linux vulnerabilities VS only top hackers/NSA-like government agencies knowing MS vulnerabilities. But whatever.

And that's a bad thing? They announce the vulnerabilities to everybody.. just not how to use it. I'd rather have just the people who can fix it know how it works versus *everybody* knowing how it works so they can exploit it and turning it into a security nightmare. But yea, whatever.

And there we go, one bunch of people go and fork to libreSSL thinking they'll save the world, and all the big boys go support the existing initiative to fix it. and we'll soon have a bunch of other fractured groups as well..

what would be the point. they're working on the same code base, doing the same thing.

they're doing twice as much work just so someone can feel important for having forked libreSSL

HawkMan said,
And there we go, one bunch of people go and fork to libreSSL thinking they'll save the world, and all the big boys go support the existing initiative to fix it. and we'll soon have a bunch of other fractured groups as well..

It's a company image sort of situation. If a company doesn't support the prevention of security exploits, rumours run rampant and the snowball begins it's roll down the hill.

It is what it is.

Probably like before when Microsoft wants to pick up such "community projects", the view of MS is different from the view of the original developers, or as often. A lot of MS hatred so not much cooperation from their side to MS on some changes.