Microsoft will begin sharing technical details with security partners about vulnerabilities addressed in its monthly security updates, known as “Patch Tuesdays,” the company announced Tuesday at the Black Hat conference in Las Vegas.
The move, according to the company, was prompted by a growing but undesirable trend associated with Patch Tuesdays that has malicious code writers releasing exploits related to the updates sometimes within hours of the release.
Releasing patches always indicates to hackers the location of vulnerable code, and they will inevitably use that to develop attacks against those who do not patch, said Richard Wang, U.S. manager at SophosLabs.
The new Microsoft Active Protection Program (MAPP) is the company’s attempt to stymie hackers before they can craft their malware by giving security software vendors an opportunity to get ahead of the game and provide updates to customers before any malicious code has been launched.
“This is big news. I was pretty surprised by [the announcement] but in a good way. It’s very responsible, very aggressive and definitely, as big as Microsoft is, very significant,” Chris Rodriguez, an analyst at Frost & Sullivan, told TechNewsWorld.
Advantage Security Industry
Sharing information through this program with vendors will enable Microsoft and its partners “to protect our mutual customers by providing advance information about upcoming security releases. This enables security software providers to protect customers more quickly against possible attacks,” said Mike Reavey, group manager of the Microsoft Security Response Center.
“By receiving vulnerability information earlier, customers benefit from additional possible improvements that provide security protection such as third party Intrusion Detection Systems, Intrusion Prevention Systems or security software signatures. Microsoft continues to recommend that customers deploy security updates to prevent exploitation of vulnerabilities,” he told TechNewsWorld.
Before Microsoft announced MAPP, security software providers received update information when Microsoft publicly released it in its regular monthly bulletin. Microsoft now releases vulnerability reproduction code along with bulletin details to partners in advance of the public release, providing partners sufficient time to test and deploy updates, Reavey said.
MAPP will launch in October, according to Reavey, who said the company is currently enrolling security software providers. Already on board are IBM, Juniper and Tipping Point.
To participate in MAPP, security vendors must meet four specific criteria: First, they must offer commercial protections to Microsoft customers against network or host-based attacks. They must also provide protection to a large number of customers, may not sell attack-oriented tools, and the protections they provide must detect, deter or defer attack, according to Reavey.
The program, said Frost & Sullivan’s Rodriguez, is “long overdue.” He acknowledged, however, that Microsoft had a lot of concerns they needed to address before launching MAPP.
“It takes a lot of trust to release this very inside information. You have to be careful who you let that out to. This really shows the maturity of the security industry. It’s come a long way from the time when vendors would find flaws and make them public as a publicity stunt or to get a lot of coverage or press. Those days are largely past, and Microsoft’s trust in the security industry is highlighted by this move,” he pointed out.
That said, however, a positive result from the program is not guaranteed.
“The success of MAPP will depend on the quality of the information provided by Microsoft and the various security software vendors’ response,” Sophos Labs’ Wang told TechNewsWorld.
Another danger is the possibility that the information Microsoft releases could fall into the hands of cyber criminals.
“It’d be an even bigger advantage for hackers, as it is already a footrace between the security organizations and these malicious code writers. It’s down to hours on Patch Tuesday. You can imagine a week head start for a hacker would be very bad,” Frost & Sullivan’s Rodriguez noted.
Wang agreed, adding, “It is important that information is not leaked to hackers, but this is by no means the first program that Microsoft has set up that shares information with other vendors. They have plenty of experience setting up agreements regarding data confidentiality, and probably have those agreements in place already as part of other Microsoft security initiatives.”