By Walaika Haskins TechNewsWorld Part of the ECT News Network
08/05/08 1:36 PM PT
Trusted security vendors will soon get to see Microsoft's Patch Tuesday fixes each month before the rest of the world does. The company's new Microsoft Active Protection Program is designed to let security makers head off hackers, some of which begin crafting malware the moment Patch Tuesday fixes are made public in an attempt to strike at known vulnerabilities before everyone has plugged their systems.
Microsoft (Nasdaq: MSFT) will begin sharing technical details with security partners about vulnerabilities addressed in its monthly security updates, known as "Patch Tuesdays," the company announced Tuesday at the Black Hat conference in Las Vegas.
The move, according to the company, was prompted by a growing but undesirable trend associated with Patch Tuesdays that has malicious code writers releasing exploits related to the updates sometimes within hours of the release.
Releasing patches always indicates to hackers the location of vulnerable code, and they will inevitably use that to develop attacks against those who do not patch, said Richard Wang, U.S. manager at SophosLabs.
The new Microsoft Active Protection Program (MAPP) is the company's attempt to stymie hackers before they can craft their malware by giving security software vendors an opportunity to get ahead of the game and provide updates to customers before any malicious code has been launched.
"This is big news. I was pretty surprised by [the announcement] but in a good way. It's very responsible, very aggressive and definitely, as big as Microsoft is, very significant," Chris Rodriguez, an analyst at Frost & Sullivan, told TechNewsWorld.
Advantage Security Industry
Sharing information through this program with vendors will enable Microsoft and its partners "to protect our mutual customers by providing advance information about upcoming security releases. This enables security software providers to protect customers more quickly against possible attacks," said Mike Reavey, group manager of the Microsoft Security Response Center.
"By receiving vulnerability information earlier, customers benefit from additional possible improvements that provide security protection such as third party Intrusion Detection Systems, Intrusion Prevention Systems or security software signatures. Microsoft continues to recommend that customers deploy security updates to prevent exploitation of vulnerabilities," he told TechNewsWorld.
Before Microsoft announced MAPP, security software providers received update information when Microsoft publicly released it in its regular monthly bulletin. Microsoft now releases vulnerability reproduction code along with bulletin details to partners in advance of the public release, providing partners sufficient time to test and deploy updates, Reavey said.
MAPP will launch in October, according to Reavey, who said the company is currently enrolling security software providers. Already on board are IBM (NYSE: IBM), Juniper and Tipping Point.
To participate in MAPP, security vendors must meet four specific criteria: First, they must offer commercial protections to Microsoft customers against network or host-based attacks. They must also provide protection to a large number of customers, may not sell attack-oriented tools, and the protections they provide must detect, deter or defer attack, according to Reavey.
Security Complex
The program, said Frost & Sullivan's Rodriguez, is "long overdue." He acknowledged, however, that Microsoft had a lot of concerns they needed to address before launching MAPP.
"It takes a lot of trust to release this very inside information. You have to be careful who you let that out to. This really shows the maturity of the security industry. It's come a long way from the time when vendors would find flaws and make them public as a publicity stunt or to get a lot of coverage or press. Those days are largely past, and Microsoft's trust in the security industry is highlighted by this move," he pointed out.
That said, however, a positive result from the program is not guaranteed.
"The success of MAPP will depend on the quality of the information provided by Microsoft and the various security software vendors' response," Sophos Labs' Wang told TechNewsWorld.
Another danger is the possibility that the information Microsoft releases could fall into the hands of cyber criminals.
"It'd be an even bigger advantage for hackers, as it is already a footrace between the security organizations and these malicious code writers. It's down to hours on Patch Tuesday. You can imagine a week head start for a hacker would be very bad," Frost & Sullivan's Rodriguez noted.
Wang agreed, adding, "It is important that information is not leaked to hackers, but this is by no means the first program that Microsoft has set up that shares information with other vendors. They have plenty of experience setting up agreements regarding data confidentiality, and probably have those agreements in place already as part of other Microsoft security initiatives."
Sharing Platforms, Sharing Flaws: Does Interoperable Mean Vulnerable? July 30, 2008
Though proprietary software still holds the lion's share of the enterprise market, open source products are gaining in popularity. Those who use open source applications naturally want their data to be readable by users of those apps' proprietary counterparts -- that's where interoperability standards come into play. But can the push toward interoperability cause holes in security?
Related Stories
Are VM Environments Open to Attack? July 22, 2008
Virtualization can bring about lower costs and fewer servers to maintain. Can it also open security holes? One should clearly never do anything with a virtual machine they wouldn't do with a physical machine. The nature of VMs, however, may bring about unique security concerns.
Study: OSS Communities Are Often Slackers in Security July 21, 2008
Enterprises using certain kinds of open source software may be exposing themselves to serious security risks, according to a study from Fortify Software. The study, which focused primarily on non-commercially supported OSS, found many packages have no ground rules for reporting bugs and do not adequately inform users about how to use the applications safely.
Microsoft Plugs Dynamics, Cloud Services July 15, 2008
Microsoft gave its CRM products a great deal of attention at its Worldwide Partner Conference last week. The company also heavily focused on SharePoint and cloud computing -- which it is increasing focus on -- during the event.
Related News Alerts
More by Walaika Haskins
ZeeVee's Zinc Browser Gets Web TV Right April 29, 2009
The Zinc Browser from ZeeVee updates the old Zviewer with tighter navigation and better catalog options. The finished application offers a great way to find TV shows and movies anywhere on the Web, regardless of whether they're hosted by Hulu, CBS, Netflix, Amazon's on-demand service or others.
Game Sales Sputter, 'GTA' Fails to Steal the Show April 23, 2009
It may appear as though the video game industry is beginning to join the economy at large in its slump, as March numbers from NPD were less than encouraging. However, a year-over-year perspective is difficult due to the timing of game releases and holidays. Meanwhile, Take-Two hasn't seen much success in introducing its violent "GTA" series to the Nintendo DS.
Can Microsoft Win the Online Game? April 16, 2009
Now that the major video game consoles have been on the market for two and a half years -- or more -- hardware sales have slowed considerably. Online services, however, still have room to grow. InStat says subscriber bases will take off in the coming years, and Microsoft's Xbox platform may come out the big winner.
Headline Feeds
Talkback: 
