Microsoft is no stranger to security problems as I have reported here at Forbes on far too many occasions for my liking. From the BlueKeep ticking time bomb that prompted an official warning from the U.S. Department of Homeland Security, to Windows 10 security features being borked by official updates and even failures to patch zero-day exploits despite being given three months notice. However, now it has been confirmed that Microsoft is looking for security advice from the unlikeliest of sources: the Linux development community.
However, applying for membership of the closed and private Linux distribution security contacts list isn't as bizarre as it first sounds. There's the small matter of Windows 10 being due to ship with a Linux kernel later in the year, as reported on Forbes by Jason Evangelho. However, more importantly, Microsoft also recently confirmed that "Linux usage on our cloud has surpassed Windows," adding that as a by-product of that Azure usage the Microsoft Security Response Center (MSRC) has "started receiving security reports of issues with Linux code both from users and vendors."
Indeed, as well as Microsoft's Azure supporting popular Linux distributions CentOS, CoreOS, Debian, Red Hat, SUSE and Ubuntu, it also has its builds to consider. These include such things as the Windows Subsystem for Linux v2 (WSL2) as mentioned in that Jason Evangelgo article referenced earlier as well as Azure Sphere that distributes security updates to Linux-based Internet of Things (IoT) devices. In the membership application letter, Sasha Levin, a Microsoft Linux kernel developer, revealed: "Microsoft customers have millions of cores running the various workloads described above."
As to the specifics of why Microsoft wants access to this closed list, Levin explained the issue by suggesting that while Microsoft has a "decades-long history of addressing security issues via MSRC," and is "able to quickly (<1-2 hours) create a build to address disclosed security issues," it requires extensive testing and validation before those patched builds can be made public. "Being members of this mailing list would provide us the additional time we need for extensive testing," Levin concluded.
Times have certainly changed since the then Microsoft CEO, Steve Ballmer, claimed that "Linux is a cancer" back in 2001. Moreover, we should all be very grateful for that as collaboration is at the core of all secure development.
