Guest editorial by Andrew Storms
When Microsoft first announced the Microsoft Active Protections Program (MAPP) in 2008, there was a lot of valid speculation that the program might actually end up endangering users instead of protecting them. The thought process was simple: If Microsoft released valuable vulnerability data outside the castle walls, even 24 hours early, it would benefit cyber criminals more than customers. The fear was that the information would leak and speed up the creation more and better exploits that would be released in the wild.
That speculation was squashed pretty quickly and the program has been running efficiently ever since.
There have been some unconfirmed rumors about MAPP leaks in the past, but none of them have been as brazen and obvious as yesterday's RDP proof-of-concept exploit code leak.
Microsoft hasn't directly pinpointed that there is a leak in the program, but they have acknowledged a potential problem (to the degree Microsoft PR machine allows).
"The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) partners. Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements."
So, what might this might mean for the future of MAPP?
Well, probably not much. There will be people calling for Microsoft to scrap MAPP but considering the market value of the information shared with MAPP partners, one confirmed leak in four years is a pretty impressive track record.
As an optimist, I think this incident just underscores the motivation of almost everyone in the security to work together to reduce customer risk and improve information security programs.
* Andrew Storms is nCircle’s Director of Security Operations. He is responsible for the definition and enforcement of the company’s security compliance programs as well as overseeing day-to-day operations for the Information Technology department.