Microsoft team finds bugs in Apple and other companies' products

Finding and reporting bugs is always something that software companies have to do. But usually its just for its own software products. Microsoft, on the other hand, has been working for the past couple of years trying to find and report bugs in other companies' software such as products made by Apple and Google. ZDNet.com reports that the Microsoft Security Vulnerability Research team, otherwise known as MSVR, has so far found 109 different software bug from 38 different companies since July 2010.

The past couple of months have seen the MSVR team working to find and report bugs in a number of products. In July the team found security issues in Facebook and also in Google's Picasa service. Both issues have since been fixed by the respective companies. In August the team found security problems on the Safari web browser from Apple as well as the WordPress blogging software. Microsoft said, "Vendors have responded and have coordinated on 97 percent of all reported vulnerabilities; 29 percent of third-party vulnerabilities found since July 2010 have already been resolved, and none of the vulnerabilities without updates have been observed in any attacks."

Microsoft first got some attention for its third party software team in 2009 when it found a particularly bad security issue in Google's Chrome Frame. Microsoft has sent out a public list of all the security issues it has found in third party software products since April at the MSVR web site. Some of the other companies that Microsoft has helped out in the past several month include RealNetworks, Opera with its web browser and Foxit's PDF reader software.

Report a problem with article
Previous Story

GameStop to give $50 gift cards to Deus Ex 3 PC customers

Next Story

Cell carriers prep for Hurricane Irene

38 Comments

Commenting is disabled on this article.

Its funny how microsoft is reporting bugs found in other third party software when Microsoft has 100's of their own bugs on their operating system. Bads...

Syndicated8 said,
Its funny how microsoft is reporting bugs found in other third party software when Microsoft has 100's of their own bugs on their operating system. Bads...

Microsoft is THE most proactive company in the entire industry with regards to bugfixes and security patches. There really isn't any way to say it better than it has already been said in previous comments. This is a very good thing for the industry as a whole.

The MSVR is just one team of many many in microsoft, why do ignorant people think they also work on building the operating system.

The canteen staff work for microsoft too, does that mean they have to teach you how to use a pc too?

Fact is, there will always be bugs and security issues, because it's an ever growing industry and technologies grow as do ways to use and abuse it, you either embrace it or hide in the attic.

KingCrimson said,
classic case of throwing stones in glass houses. Shame MSFT Shame!!!!

Yea, nothing makes a company more irresponsible and evil than helping others out with defects and security problems.. So it would be better if Microsoft just burnt the consumer then? /s

AMPSV said,
the pot calling the Kettle black
wow Microsoft just build bug proof software yourself

Constructive bug finding helps everyone and Microsoft should have been actively doing this a long time ago seeing as it tends to be 3rd party software causing the majority of instability in work places I have been apart of.

AMPSV said,

wow Microsoft just build bug proof software yourself

What do you think they're busy with? Other software was causing those bugs, what article were you reading?

AMPSV said,
the pot calling the Kettle black
wow Microsoft just build bug proof software yourself

Dude - MSFT invests massive amounts in their test departments. You are an ignorant troll.

AMPSV said,
the pot calling the Kettle black
wow Microsoft just build bug proof software yourself

I'll refer ya to my response in the post above yours. If Microsoft had issues, you might have a valid argument.

It tells me that you don't have respect for what Microsoft did with their security refocus, that did make things different, and also helped the entire industry, with what Microsoft has learned about security getting hit hard by exploits.

There was a time when Microsoft created their own security nightmares, and there was also the time when Microsoft was hit with attacks and exploits that we (security experts) didn't even realized were possible, that benefited everyone, because after Windows got smacked with new exploit concepts, Linux and OS X were able to go in and safeguard against the new concept of attack as well.

I do know you are trolling, but you could take this as an opportunity to go, well maybe I am still stuck in the Microsoft sucks mindset and it is time to let it go and see them for the good and bad that they are instead of my past illusion.

Whatever. Stop worrying about others and spend more time on your products. And yes, they may be "helping" other companies but if cannot help themselves and fix their stuff.

techbeck said,
Whatever. Stop worrying about others and spend more time on your products. And yes, they may be "helping" other companies but if cannot help themselves and fix their stuff.
That comment is just too ignorant to warrent an explnation explaining all the ways you are wrong.

Xerax said,
That comment is just too ignorant to warrent an explnation explaining all the ways you are wrong.

And I dont really care what the **** you think really. Your comment is a typical troll comment.

Dont like my comment, dont post. Simple as that really. I understand MS tests software to be compatible with their own ****. DUH. MS' own software alot of times doesnt work well with each other. Thats my point. Fix their own **** and let others work on their on DNR. Other companies are given access and rights to test MS software with their own.

Now, troll on

And again, dont like what I say. I dont give a ****.

Edited by techbeck, Aug 27 2011, 6:48pm :

techbeck said,
Whatever. Stop worrying about others and spend more time on your products. And yes, they may be "helping" other companies but if cannot help themselves and fix their stuff.

Ok, I'll bite. What Microsoft product is full of security holes that needs their attention?

Windows 7 - less holes than OS X

IE9 - less holes than Chrome, Firefox, and Safari

Office - less holes than Open Office (which is weird as Office has a complete programming environment.)

IIS - less holes than Apache

ASP.NET - less holes than PHP (Which is why IIS in 2008 R2 has a new way to integrate PHP and put a security wrapper around it.)

MSSQL - less holes than MySQL and even the old big dogs of databasess

XBox - less holes than PS3

WP7 - less holes than iOS and far less than Android
*WP7 even got attention this week by a few testing companies as the most stable smartphone OS.


So, I would be there with ya, if there were issues in Microsoft products, but this isn't 2002 or 1999, and Microsoft has a good handle on security that makes even the 'darling' companies appear to be lacking.

If you look at OS X Leopard & Snow leopard, there were more security hole patches by a factor of 20 to 1 than BOTH Vista and Windows 7, even including the extra six months Vista was on the market before Leopard. (This isn't a 'few more holes', this is a massive difference when you get into the 10 to 1 and 20 to 1 ratios.)

So this explains why Microsoft can not help it's own customers on their platform with problems with their own software and programs. They are to busy worried about other companies platforms. WOW! .

JSYOUNG571 said,
So this explains why Microsoft can not help it's own customers on their platform with problems with their own software and programs. They are to busy worried about other companies platforms. WOW! .

plz tell me this was sarcasm. if it wasn't, then you're a complete moron.

JSYOUNG571 said,
So this explains why Microsoft can not help it's own customers on their platform with problems with their own software and programs. They are to busy worried about other companies platforms. WOW! .

Wow. You're seriously going to take something positive like this and turn it negative? Totally unrelated comment is totally unrelated.

Everyone should remember stuff like this when they hear companies that gladly work behind the scenes with Microsoft and take their advice talk smack about Microsoft in public.

Like the recent Google developers and CEO comments - Especially the one about Microsoft not innovating, when Chrome directly modeled the IE7 sandbox but without the OS security level model.

.

Good, Now fix your own bug in Skype (and stop Skype Home from coming up) all the time, When you run Skype.While you're at it. And this annoying I/O error


PaulAuckNZ said,
Good, Now fix your own bug in Skype (and stop Skype Home from coming up) all the time, When you run Skype.While you're at it. And this annoying I/O error


Jeez... Give them a chance to finalize the purchase first... LOL

M_Lyons10 said,

Jeez... Give them a chance to finalize the purchase first... LOL

Better telling them now than later :Þ If theyre listening

PaulAuckNZ said,

Better telling them now than later :Þ If theyre listening

Obviously they're not, and obviously they have more and smarter people that know better what they'll do with Skype.

Unfortunately, Microsoft has often taken the blame even though it has nothing to do with certain venerabilities and infections.

This is quite a necessary move by Microsoft.

This is smart for Microsoft, bugs in programs and tools used on their OS can reflect badly on them (even if that's unfair, average people don't always distinguish between the 2)..

Ryoken said,
This is smart for Microsoft, bugs in programs and tools used on their OS can reflect badly on them (even if that's unfair, average people don't always distinguish between the 2)..

They aren't just looking at software that runs on Windows though. They have addressed server security issues and even software issues on OS X.

(Note the Facebook, Picasa, WordPress as simple examples. Even prior to this team, Microsoft worked with PHP and Apache and MySQL and a majority of products throughout the industry, no matter if the products were running on Windows or Linux servers.)

Sadly, not all companies 'appreciate' the help, especially when Microsoft finds hardware level security flaws that are not just a firmware or software patch.

Apple and Google keep very very quiet about any help Microsoft has given them, and even Sony which once used Microsoft servers, asked for Microsoft's help in the Anonymous and follow up attacks, but it wasn't something they announced for some obvious reasons.

Ryoken said,
This is smart for Microsoft, bugs in programs and tools used on their OS can reflect badly on them (even if that's unfair, average people don't always distinguish between the 2)..

+1. All it becomes is "I got a virus, Windows sucks..." When they could have gotten the virus from a flaw in Quicktime, or Flash, or their browser... Anything can be targeted anymore.

M_Lyons10 said,

+1. All it becomes is "I got a virus, Windows sucks..." When they could have gotten the virus from a flaw in Quicktime, or Flash, or their browser... Anything can be targeted anymore.

Unfortunately the masses will not see it that way. So the overall product is to blame but hey if you want to spend a fortune on Apple be my guest. I for one love my custom built PC (which was built cheaper than a high-end Mac) and I keep the software on my machine up to date. I NEVER had issues with my PC.

thenetavenger said,

Apple and Google keep very very quiet about any help Microsoft has given them,

Security researchers are credited by name when they discover and report bugs. For example, here's the notes from the last QuickTime update, notice entry #2:

http://support.apple.com/kb/HT4826


Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later

Impact: Visiting a maliciously crafted website may lead to the disclosure of video data from another site

Description: A cross-origin issue existed in QuickTime plug-in's handling of cross-site redirects. Visiting a maliciously crafted website may lead to the disclosure of video data from another site. This issue is addressed by preventing QuickTime from following cross-site redirects. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.7. This issue does not affect OS X Lion systems.

CVE-ID

CVE-2011-0187 : Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)

The bolding is mine.

Ryoken said,
This is smart for Microsoft, bugs in programs and tools used on their OS can reflect badly on them (even if that's unfair, average people don't always distinguish between the 2)..

Very true.

evn. said,

Security researchers are credited by name when they discover and report bugs. For example, here's the notes from the last QuickTime update, notice entry #2:

http://support.apple.com/kb/HT4826

The bolding is mine.

Yes you are correct, but I didn't say they were 'silent', but quiet about it.

They don't deny who found the issue; however, they often won't disclose that someone outside Apple submitted the code sample for the fix.

(The one you reference in your example, Microsoft provided a code sample that Apple used, does Apple happen to mention how 'helpful' Microsoft was in also giving them a sample code fix, and explaining how to avoid this type of vulnerability to help Apple in the future? Nope...)

Which makes this a quiet disclosure, not silent, but quiet.

Microsoft does have an advantage, as they have been 'smacked' with every trick and things that the IT world didn't even realize was possible just a few years ago. (Go look at security certifications, and notice that there are exploits we know about today, that when the security certifications were made we didn't realize was possible or even the potential of an attack vector could happen in ways they have.

Microsoft built a new type of automated security testing servers in 2002, that they have advanced over the years to become a rather impressive security testing lab. This is one reason they can find easy to spot security issues, and keep expanding the technology, which they do use for theirs and other's software, as well as things like WP7 app testing.

(Which Google needs to pay Microsoft to do for Android Apps as well.)

thenetavenger said,

Yes you are correct, but I didn't say they were 'silent', but quiet about it.

What exactly would you find appropriate? Press releases on Tuesday singing the praise of individual security researchers? Time square billboards?

They don't deny who found the issue; however, they often won't disclose that someone outside Apple submitted the code sample for the fix

Nor does Microsoft. Like most firms the details of who submits a bug report with or without sample code is rarely if ever discussed: certainly not in closed source projects on the scale of Mac OS X, Windows, or Chrome.

(The one you reference in your example, Microsoft provided a code sample that Apple used, does Apple happen to mention how 'helpful' Microsoft was in also giving them a sample code fix, and explaining how to avoid this type of vulnerability to help Apple in the future? Nope...)

Source?

While i've little doubt Microsoft was able to supply a sample exploit to QuickTime it seems pretty unlikely they could supply a bug-fix given they lack access to the quicktime source code.

I'm just trying to understand what you expect Apple or Google to do different from Microsoft security updates.