Microsoft is planning to implement two new security programs designed to broaden its resources for protecting customers, including one program under which the company will give antivirus, security vendors and some customers early access to soon-to-be-patched vulnerabilities.
The idea behind the early-access program is to give security vendors a head start on developing signatures and filters for attacks that follow the release of a new set of Microsoft patches on the second Tuesday of the month. Microsoft will announce its new plans at the Black Hat conference in Las Vegas this week.
Known as the Microsoft Active Protection Program (MAPP), the new plan will be open to security companies that provide defensive technology to large customer bases, meaning antivirus (AV), intrusion detection system (IDS) and intrusion prevention system (IPS) vendors. This kind of early notification is something that other companies have been calling for, and Microsoft officials said they've gotten to the point where they could use some help from the rest of the security community.
Black Hat 2008:
Exclusive photos of Black Hat 2008.
Hoffman to demonstrate new hacking techniques Researcher to demonstrate hacking methods that enable malware authors to shield their programs from analysis.
EV SSL certificates won't stop phishers, researchers say Two researchers call Extended Validation (EV) SSL certificates a Band-Aid approach, and share their research of the phishing underground.
Valuable lesson emerges from DNS flaw handling Any effort to prevent others in the legitimate security community from working out the problem is a waste of time.
"We realize no one can do this alone," said Mike Reavey, group manager at the Microsoft Security Response Center. "We're calling for the security community to work together."
In addition to the MAPP announcement, Microsoft also plans to add a new component to its monthly security advisories: an exploitability index. The index will rank vulnerabilities based on the likelihood of someone developing working exploit code for the Microsoft flaws within 30 days immediately following the patch release. Each vulnerability will be assigned one of three labels: consistent, meaning it's likely that reliable exploit code will be developed; inconsistent, meaning some code may appear, but it likely won't work against all machines; and unlikely, meaning there's little chance of usable code being developed.
"This is really geared toward the first 30 days after the release of new updates. We always get questions from customers every month about the likelihood that exploit code will be released for a particular update," Reavey said.
Reavey added that Microsoft found that working exploit code has been released for about 30% of its updates in the last two years.
Other security vendors said Microsoft's moves made sense, but may not make a huge difference in the long run.
"The exploitability index is kind of interesting and the first thing I think of is that all of these researchers might see something on the low end of the scale as a challenge," said Fred Pinkett, vice president of product management at Core Security Technologies Inc. in Boston. "It will be interesting to see how it tracks with reality. There are plenty of other vulnerability scoring systems out there already.
"In terms of the advance access to the updates, a day or two isn't going to make much difference to us anyway. We're not in that race. It might help the AV and IDS vendors to have a day or two. But anything that gets earlier protection for the customers is a good thing," Pinkett said.