In association with heise online

11 August 2008, 11:34

Microsoft to help vendors to find and fix vulnerabilities

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Microsoft has launched its Vulnerability Research Program (MSVR), aimed at actively tracking down vulnerabilities in third party applications and offering support with fixing the security holes. The respective software vendors will be informed in confidence about any vulnerabilities discovered and given all the information available to solve the problem.

Microsoft is responding to the increasing number of attacks on applications, already said to have surpassed those targeting the Windows operating system itself. Microsoft says that by exploiting a critical hole in an application, attackers can still gain control of the whole system.

Apart from using its own analyses within the Microsoft Security Development Lifecycle (SDL) the system will also use external reports. According to Microsoft, this was recently the case with the Safari Carpet Bomb – a vulnerability created by the interaction between Apple's Safari browser and Windows. No details were given about how exactly Microsoft helped Apple with the development of an update for Safari. However, Apple solved the problem by preventing Safari from placing downloaded files on the desktop.

Microsoft states that absolute confidentiality will be maintained throughout the entire process and that details of a vulnerability will only be revealed once an update has become available. According to Redmond this minimises the chances of negative effects on customers through exploitation of the vulnerabilities by third parties.

Shortly before, Microsoft announced the Microsoft Active Protections Program (MAPP), which will give security service providers detailed information about upcoming security updates to enable them to protect their customers faster and more efficiently. Starting in October, on Patch Tuesdays, Microsoft also plans to publish an exploitability index detailing each vulnerability's likelihood of exploitation. This is to help customers assess their risks and correctly prioritise updates within their companies.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit