MSRC


Microsoft Mum On Duqu Fix In November

Microsoft said that its looking into a reported zero day vulnerability in Windows that was used by the Duqu malware to spread, but isn’t committing to a patch for the problem in time for this months scheduled update.


The threats and attacks may have changed in the last decade, but one thing has remained constant: software giant Microsoft doesn’t pay for vulnerabilities. Never has. Never will. Even as rivals like Mozilla and Google have introduced bug bounty program, the Redmond Washington giant has stuck doggedly with a position it articulated almost a decade ago, refusing to offer monetary rewards for information on software holes. But security experts say that position may have to change.

Microsoft on Tuesday provided key details of  a “Coordinated Vulnerability Disclosure”
(CVD) program it announced in July and that’s aimed at bolstering
collaboration between Microsoft, its customers and the security
community. 

Things are getting curioser and curioser of late at Microsoft. The company is no longer the punch line for every joke in the IT security industry, but now the lessons the company learned in the last 10 years about dealing with researchers and making product security a priority are falling by the wayside.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.