Microsoft: Security efforts have paid off
According to George Stathakopoulos, the General Manager of Microsoft's Trustworthy Computing Group, Microsoft's efforts to increase the security of its products have paid off. Particularly now that the programs for improving vendor collaboration have come to fruition. According to the executive, 47 partners now collaborate to share information about threats and virus signatures as part of Microsoft's Active Protections Program (MAPP). This reportedly allows the IDS Sourcefire (Snort) developers to build a signature for detecting an exploit within only two hours. The MAPP program is used by Microsoft to share information and documentation about how to reproduce problems and exploit holes.
Stathakopoulos said that the Exploitability Index, introduced as part of MAPP and designed to give IT decision makers a better idea of the urgency a patch, has been 99 per cent accurate. Reportedly, Microsoft has only had to correct one of its predictions and downgrade the potential attack risk. To help IT executives better manage updates from Redmond, Microsoft has released the Microsoft Security Update Guide. The guide is complemented by the first report of the Quant project, which summarises the open source community's experiences with patch processes and patch management. Project Quant is sponsored by Microsoft.
According to Stathakopoulos, Microsoft's Vulnerability Research Program (MSVR) has also helped improve the security of third party applications by reporting the vulnerabilities discovered – although, in his guest editorial on the ZDnet blog, the executive gave no actual figures or examples. The MSVR is Microsoft's response to the increased number of application attacks, as applications are now said to have surpassed the Windows operating system as the main target of attacks. A current example is Adobe, where vulnerabilities in Flash Player and Reader can be exploited to hijack entire systems.
Adobe has seen the signs and implemented its own Secure Product Lifecycle (SPLC) to make its products more secure and reduce its threat response times – Stathakopoulos sees parallels to the Security Development Lifecycle (SDL) established about five years ago, and to the foundation of Microsoft's Security Response Centers (MSRC).
According to Stathakopoulos, the most important measure for protecting users is to establish collaboration between vendors and security experts. The executive said this was exemplified by the Conficker Working Group established to combat the Windows worm.
However, if the distribution figures of several millions of infected PCs are anything to go by, the group has only few successes to report. From Microsoft's point of view, the collaboration with security experts may have improved, but looking at problems like the recent zero day exploits for DirectShow, the situation hasn't really improved from a user perspective. It is of course possible that without Microsoft's efforts things may have completely spiralled out of control by now.
- Zero-day vulnerability in Adobe Flash Player, Reader and Acrobat
- Researchers thwart Conficker worm spread
- Adobe to release quarterly security updates
- Microsoft partners to receive security information in advance
- Microsoft to help vendors to find and fix vulnerabilities