Microsoft makes daring vulnerability sharing move

Microsoft makes daring vulnerability sharing move

Summary: LAS VEGAS -- Starting in October, Microsoft will start sharing details on software vulnerabilities with security vendors ahead of Patch Tuesday under a daring new program aimed at reducing the window of exposure to hacker attacks.

SHARE:
TOPICS: Security, Microsoft
7

Microsoft makes major Patch Tuesday changes, to share flaw data ahead of timeLAS VEGAS -- Starting in October, Microsoft will start sharing details on software vulnerabilities with security vendors ahead of Patch Tuesday under a daring new program aimed at reducing the window of exposure to hacker attacks.

The new Microsoft Active Protections Program (MAPP), which will be formally announced at Black Hat USA 2008 here, will give anti-virus, intrusion prevention/detection and corporate network security vendors a headstart to add signatures and filters to protect against Microsoft software vulnerabilities.

The idea is to provide detection guidance ahead of time to help security vendors reproduce the vulnerabilities being patched and ship signatures and detection capabilities without false positives.

According to Mike Reavey, group manager in the MSRC (Microsoft Security Response Center), the new vulnerability sharing program was created to address the situation today where weaponized exploit code is being released to the public before Windows users can test and deploy the Patch Tuesday fixes.

[ SEE: Security is everyone's domain ]

"This is not for the folks that build attack frameworks," Reavey said, making it clear the MAPP program will not be available for penetration testing firms like Core Security and Immunity Inc., two companies in the business of reverse-engineering patches to create exploits for IDS/IPS and corporate customers.

"The amount of time between the release of a patch and the release of the exploit code [for that patch] continues to shorten and customers have been asking for information to react to this," Reavey explained.   With MAPP, which launches officially in mid-October, security vendors will have signatures and filters ready to roll alongside the patches, potentially negating any exploit code release.

"We're limiting that window of danger," he added.   Microsoft is not saying exactly when the flaw data will be shared but a source tells me security vendors will get at least a 24-hour headstart.

[ SEE: Skeletons in Microsoft’s Patch Day closet ]

The move is not without major risk.   As everyone knows, vulnerability data is big business and the specter of a rogue employee with access to what amounts to zero-day vulnerabilities is a scary thought.  What happens if the information flowing through MAPP is being siphoned off and sold to malicious attackers?

Reavey acknowledges the risk and insists Microsoft will tightly lock down access to the program and implement measures to identify potential leaks.  Participants in the program must sign NDAs and have a significant enough customer base for protection-oriented software.

[ SEE: Punditry: Will Microsoft buy flaws? ]

Some criteria for participants in MAPP include:

  • Members must offer commercial protection features to Microsoft customers against network- or host-based attacks.
  • Members must provide protection features to a large number of customers.
  • Members may not sell attack-oriented tools.
  • Protection features provided by members must detect, deter or defer attacks.

Confirmed participants in the new program include IBM Corp., Juniper Networks and 3Com TippingPoint.  Correction: I'm not yet aware of any participants.  Apologies.

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • have to say it's good

    Somebody finally gets it about actual security development in a shared mode.
    Narr vi
  • I Agree. Good Move, finally.

    This will allow the mfrs of network perimeter appliances and IPS to solidify their signatures beforehand.
    dunn@...
  • I'm not sure daring is the word...

    They should have been doing this ages ago with just that target group.

    The baddies already know about 99.99% of the flaws anyway.

    ttfn

    John
    TtfnJohn
  • "Daring"?

    What's so "daring" about this? It's still a long way from having their source repository exposed to the world the way every open source project out there has. Which is why there's so many patches for some FOSS projects... because they get patched because a security researcher sees the hole and fixes it before it gets exploited. Instead of months afterwards.
    Resuna
    • Oh god not again

      So using second rate, but passionate programmers with different coding styles and abilities and little to no knowledge of security and exposing all your source code so the world can search for vulnerabilities is a good thing. Sure some of the OSS poster children (both of them) maybe able to implement proper standards and security (at least for a little while until their unpaid programmers leave) but for 90% of the OSS movement security and standards are a joke and large scale alpha and beta testing is a distant dream.

      Of course no-one exploits open source code..

      Yeah right
      tonymcs@...
      • Oh god, not "Oh god not again" again

        "second rate, but passionate programmers with different coding styles and abilities and little to no knowledge of security"

        Are you claiming that all open source developers are second-rate? If so, then your stupidity is exceeded only by your arrogance.

        If not, then you're saying nothing that can't be said about proprietary developers as well. Some suck. Some are good. Just like everything else in life. Get over it.

        "exposing all your source code so the world can search for vulnerabilities is a good thing"

        Well, if you ask the most highly respected experts in the security field, yeah. It is. Ever heard of Dan Farmer? Dan Geer? Bruce Schneier?

        The MSCE at your local BestBuy might not agree though, so better check with him instead.

        "for 90% of the OSS movement security and standards are a joke and large scale alpha and beta testing is a distant dream."

        And this differs from the proprietary software market how exactly? Oh wait, that's right, with proprietary software you don't KNOW how awful it is.

        Diebold anyone?

        "Of course no-one exploits open source code.. Yeah right "

        Ah, the obligatory lame straw man claim.

        Nobody made this claim but you. You made up a ridiculous statement and falsely attributed it to someone else so that you can pretend to debunk it.

        Scrub tactic, failure guaranteed.
        bmerc
  • And Apple?

    Marketing pulls Apple's security engineers from the same
    conference at the last minute.
    Ed Lin