ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Microsoft makes daring vulnerability sharing move

By | August 5, 2008, 5:40am PDT

Summary: LAS VEGAS — Starting in October, Microsoft will start sharing details on software vulnerabilities with security vendors ahead of Patch Tuesday under a daring new program aimed at reducing the window of exposure to hacker attacks. The new Microsoft Active Protections Program (MAPP), which will be formally announced at Black Hat USA 2008 here, will give [...]

Microsoft makes major Patch Tuesday changes, to share flaw data ahead of timeLAS VEGAS — Starting in October, Microsoft will start sharing details on software vulnerabilities with security vendors ahead of Patch Tuesday under a daring new program aimed at reducing the window of exposure to hacker attacks.

The new Microsoft Active Protections Program (MAPP), which will be formally announced at Black Hat USA 2008 here, will give anti-virus, intrusion prevention/detection and corporate network security vendors a headstart to add signatures and filters to protect against Microsoft software vulnerabilities.

The idea is to provide detection guidance ahead of time to help security vendors reproduce the vulnerabilities being patched and ship signatures and detection capabilities without false positives.

According to Mike Reavey, group manager in the MSRC (Microsoft Security Response Center), the new vulnerability sharing program was created to address the situation today where weaponized exploit code is being released to the public before Windows users can test and deploy the Patch Tuesday fixes.

[ SEE: Security is everyone's domain ]

“This is not for the folks that build attack frameworks,” Reavey said, making it clear the MAPP program will not be available for penetration testing firms like Core Security and Immunity Inc., two companies in the business of reverse-engineering patches to create exploits for IDS/IPS and corporate customers.

“The amount of time between the release of a patch and the release of the exploit code [for that patch] continues to shorten and customers have been asking for information to react to this,” Reavey explained.   With MAPP, which launches officially in mid-October, security vendors will have signatures and filters ready to roll alongside the patches, potentially negating any exploit code release.

“We’re limiting that window of danger,” he added.   Microsoft is not saying exactly when the flaw data will be shared but a source tells me security vendors will get at least a 24-hour headstart.

[ SEE: Skeletons in Microsoft’s Patch Day closet ]

The move is not without major risk.   As everyone knows, vulnerability data is big business and the specter of a rogue employee with access to what amounts to zero-day vulnerabilities is a scary thought.  What happens if the information flowing through MAPP is being siphoned off and sold to malicious attackers?

Reavey acknowledges the risk and insists Microsoft will tightly lock down access to the program and implement measures to identify potential leaks.  Participants in the program must sign NDAs and have a significant enough customer base for protection-oriented software.

[ SEE: Punditry: Will Microsoft buy flaws? ]

Some criteria for participants in MAPP include:

  • Members must offer commercial protection features to Microsoft customers against network- or host-based attacks.
  • Members must provide protection features to a large number of customers.
  • Members may not sell attack-oriented tools.
  • Protection features provided by members must detect, deter or defer attacks.

Confirmed participants in the new program include IBM Corp., Juniper Networks and 3Com TippingPoint.  Correction: I’m not yet aware of any participants.  Apologies.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Vulnerability, Security Company, Exploit Code, Microsoft Corp., Security, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
15
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Microsoft makes daring vulnerability sharing move
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.
View in thread
0 Votes
+ -
have to say it's good
Narr vi 5th Aug 2008
Somebody finally gets it about actual security development in a shared mode.
0 Votes
+ -
I Agree. Good Move, finally.
dunn@... 5th Aug 2008
This will allow the mfrs of network perimeter appliances and IPS to solidify their signatures beforehand.
0 Votes
+ -
I'm not sure daring is the word...
TtfnJohn 5th Aug 2008
They should have been doing this ages ago with just that target group.

The baddies already know about 99.99% of the flaws anyway.

ttfn

John
0 Votes
+ -
"Daring"?
Resuna 5th Aug 2008
What's so "daring" about this? It's still a long way from having their source repository exposed to the world the way every open source project out there has. Which is why there's so many patches for some FOSS projects... because they get patched because a security researcher sees the hole and fixes it before it gets exploited. Instead of months afterwards.
0 Votes
+ -
Oh god not again
tonymcs@... 5th Aug 2008
So using second rate, but passionate programmers with different coding styles and abilities and little to no knowledge of security and exposing all your source code so the world can search for vulnerabilities is a good thing. Sure some of the OSS poster children (both of them) maybe able to implement proper standards and security (at least for a little while until their unpaid programmers leave) but for 90% of the OSS movement security and standards are a joke and large scale alpha and beta testing is a distant dream.

Of course no-one exploits open source code..

Yeah right
0 Votes
+ -
Oh god, not "Oh god not again" again
bmerc 6th Aug 2008
"second rate, but passionate programmers with different coding styles and abilities and little to no knowledge of security"

Are you claiming that all open source developers are second-rate? If so, then your stupidity is exceeded only by your arrogance.

If not, then you're saying nothing that can't be said about proprietary developers as well. Some suck. Some are good. Just like everything else in life. Get over it.

"exposing all your source code so the world can search for vulnerabilities is a good thing"

Well, if you ask the most highly respected experts in the security field, yeah. It is. Ever heard of Dan Farmer? Dan Geer? Bruce Schneier?

The MSCE at your local BestBuy might not agree though, so better check with him instead.

"for 90% of the OSS movement security and standards are a joke and large scale alpha and beta testing is a distant dream."

And this differs from the proprietary software market how exactly? Oh wait, that's right, with proprietary software you don't KNOW how awful it is.

Diebold anyone?

"Of course no-one exploits open source code.. Yeah right "

Ah, the obligatory lame straw man claim.

Nobody made this claim but you. You made up a ridiculous statement and falsely attributed it to someone else so that you can pretend to debunk it.

Scrub tactic, failure guaranteed.
0 Votes
+ -
And Apple?
Ed Lin 6th Aug 2008
Marketing pulls Apple's security engineers from the same
conference at the last minute.
0 Votes
+ -
RE: Microsoft makes daring vulnerability sharing move
MACKENZI 11th Sep
I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate! nccma cooler
0 Votes
+ -
RE: Microsoft makes daring vulnerability sharing move
PEARLINEI 12th Sep
I used to be more than happy to seek out this internet-site.I wanted to thanks in your time for this glorious read!! I positively enjoying each little bit of it and I have you bookmarked to check out new stuff you weblog post. this thread is amazing i like your work and i appreciate you that you have share a useful stuff thanks for sharing the i shop abatwa
0 Votes
+ -
RE: Microsoft makes daring vulnerability sharing move
RHIANNONA 13th Sep
I used to be more than happy to seek out this internet-site.I wanted to thanks in your time for this glorious read!! I positively enjoying each little bit of it and I have you bookmarked to check out new stuff you weblog post.Bookmarking now thanks please consider a follow up post. power sa shop
0 Votes
+ -
RE: Microsoft makes daring vulnerability sharing move
SATURNINA 14th Sep
I think the representation of this article is actually superb one. This is my first visit to your site. Thanks a lot and keep sharing the information. Keep updating the information for all of us. Thanks ZDNet Government was launched as the brand's first industry vertical, with a mission to cater to IT professionals in the public secto I agree with your post. However, do you have any sources I can cite for my paper wheel car com bury
0 Votes
+ -
RE: Microsoft makes daring vulnerability sharing move
TOCCAR 25th Sep
Well welcome, hopefully you can become a vital member of the community and really help to push far ahead of google. Which Im sure the development team would love. This will of course earn you alot points too and get you on the leaders board. z d n e t t h a n k Im not sure i come to an agreement with you on every level, howevor it absolutely was a good posting, many thanks for taking the time to put up your ideas.
0 Votes
+ -
RE: Microsoft makes daring vulnerability sharing move
MCKNIGH 26th Sep
Thanks nice info z d n e t I really liked your current article write more..let me add you to its favorite The articles you have on zdnet s i t e are always so enjoyable to read. Good work and I bookmarked it.
0 Votes
+ -
RE: Microsoft makes daring vulnerability sharing move
MEJIAHA 30th Sep
Fantastic news about the new release.I positively enjoying each little bit of it and I have you b o o k m a r k e d to check out new stuff you weblog post.Im not sure i come to an agreement with you on every level, howevor it absolutely was a good posting, many thanks for taking the time to put up your ideas
0 Votes
+ -
RE: Microsoft makes daring vulnerability sharing move
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix