Microsoft makes daring vulnerability sharing move
Summary: LAS VEGAS -- Starting in October, Microsoft will start sharing details on software vulnerabilities with security vendors ahead of Patch Tuesday under a daring new program aimed at reducing the window of exposure to hacker attacks.
LAS VEGAS -- Starting in October, Microsoft will start sharing details on software vulnerabilities with security vendors ahead of Patch Tuesday under a daring new program aimed at reducing the window of exposure to hacker attacks.
The new Microsoft Active Protections Program (MAPP), which will be formally announced at Black Hat USA 2008 here, will give anti-virus, intrusion prevention/detection and corporate network security vendors a headstart to add signatures and filters to protect against Microsoft software vulnerabilities.
The idea is to provide detection guidance ahead of time to help security vendors reproduce the vulnerabilities being patched and ship signatures and detection capabilities without false positives.
According to Mike Reavey, group manager in the MSRC (Microsoft Security Response Center), the new vulnerability sharing program was created to address the situation today where weaponized exploit code is being released to the public before Windows users can test and deploy the Patch Tuesday fixes.
[ SEE: Security is everyone's domain ]
"This is not for the folks that build attack frameworks," Reavey said, making it clear the MAPP program will not be available for penetration testing firms like Core Security and Immunity Inc., two companies in the business of reverse-engineering patches to create exploits for IDS/IPS and corporate customers.
"The amount of time between the release of a patch and the release of the exploit code [for that patch] continues to shorten and customers have been asking for information to react to this," Reavey explained. With MAPP, which launches officially in mid-October, security vendors will have signatures and filters ready to roll alongside the patches, potentially negating any exploit code release.
"We're limiting that window of danger," he added. Microsoft is not saying exactly when the flaw data will be shared but a source tells me security vendors will get at least a 24-hour headstart.
[ SEE: Skeletons in Microsoft’s Patch Day closet ]
The move is not without major risk. As everyone knows, vulnerability data is big business and the specter of a rogue employee with access to what amounts to zero-day vulnerabilities is a scary thought. What happens if the information flowing through MAPP is being siphoned off and sold to malicious attackers?
Reavey acknowledges the risk and insists Microsoft will tightly lock down access to the program and implement measures to identify potential leaks. Participants in the program must sign NDAs and have a significant enough customer base for protection-oriented software.
[ SEE: Punditry: Will Microsoft buy flaws? ]
Some criteria for participants in MAPP include:
- Members must offer commercial protection features to Microsoft customers against network- or host-based attacks.
- Members must provide protection features to a large number of customers.
- Members may not sell attack-oriented tools.
- Protection features provided by members must detect, deter or defer attacks.
Confirmed participants in the new program include IBM Corp., Juniper Networks and 3Com TippingPoint. Correction: I'm not yet aware of any participants. Apologies.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
have to say it's good
I Agree. Good Move, finally.
I'm not sure daring is the word...
The baddies already know about 99.99% of the flaws anyway.
ttfn
John
"Daring"?
Oh god not again
Of course no-one exploits open source code..
Yeah right
Oh god, not "Oh god not again" again
Are you claiming that all open source developers are second-rate? If so, then your stupidity is exceeded only by your arrogance.
If not, then you're saying nothing that can't be said about proprietary developers as well. Some suck. Some are good. Just like everything else in life. Get over it.
"exposing all your source code so the world can search for vulnerabilities is a good thing"
Well, if you ask the most highly respected experts in the security field, yeah. It is. Ever heard of Dan Farmer? Dan Geer? Bruce Schneier?
The MSCE at your local BestBuy might not agree though, so better check with him instead.
"for 90% of the OSS movement security and standards are a joke and large scale alpha and beta testing is a distant dream."
And this differs from the proprietary software market how exactly? Oh wait, that's right, with proprietary software you don't KNOW how awful it is.
Diebold anyone?
"Of course no-one exploits open source code.. Yeah right "
Ah, the obligatory lame straw man claim.
Nobody made this claim but you. You made up a ridiculous statement and falsely attributed it to someone else so that you can pretend to debunk it.
Scrub tactic, failure guaranteed.
And Apple?
conference at the last minute.
RE: Microsoft makes daring vulnerability sharing move
RE: Microsoft makes daring vulnerability sharing move
RE: Microsoft makes daring vulnerability sharing move
RE: Microsoft makes daring vulnerability sharing move
RE: Microsoft makes daring vulnerability sharing move
RE: Microsoft makes daring vulnerability sharing move