In association with heise online

06 August 2008, 15:32

Microsoft partners to receive security information in advance

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Microsoft has announced at the Black Hat security conference that in future it will provide security service providers with detailed information ahead of time on upcoming security updates to allow them to provide faster and more reliable protection to their customers. One of the reasons Microsoft is doing this is to react to the ever-increasing speed with which exploits aimed at security holes appear. Sometimes initial proof of concept exploits, developed by analysing the patches, are available only hours after updates are released.

Among the information Microsoft wants to provide are instructions on how problems reproduce themselves and how security holes can be exploited. One of the purposes of this is to give vendors of antivirus software and intrusion prevention systems lead time to develop and release signatures.

In the framework of this initiative, called the Microsoft Active Protections Program (MAPP), the Redmond company wants to publish an exploitability index on every patch day, which will list the likelihood that an exploit for a particular security hole will appear. This will allow customers to better assess risk and if necessary, prioritise the dissemination of updates within their organization.

Of course the Common Vulnerability Scoring System (CVSS) has been around for quite some time; it is also used for assessing risk and companies like Cisco and Oracle use it in their security alerts, but the score is relatively difficult to figure out, being anything but user friendly.

Microsoft's new program is slated to begin in October. Until that time, interested companies can apply for acceptance into the program. Microsoft wants to do a careful review of who is allowed to take part in order to prevent abuse. In May, the company had already expanded its Security Cooperation Program (SCP) to include security institutions like computer emergency response teams (CERTs) and computer security incident response teams (CSIRTS) to provide them with advance information on vulnerabilities and security holes in its products.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit