Microsoft to share more vulnerability data with select partners
In what may be becoming a semi-annual ritual, Microsoft chose the Black Hat security conference in Las Vegas to unveil its latest initiative to share details about Windows vulnerabilities with outside sources who may be able to help.
Almost every year this decade, Microsoft has launched or enhanced an initiative to share security information with developers and administrators. In 2005, the company launched its Security Support Alliance, an extension of a program launched the previous year to give advance notices to Certified Gold partners.
In 2006, the company announced the formation of the Security Response Alliance, supposedly on the backbone of the SSA, with the intention of developing a framework for organizations to share IT security information with one another, with one key beneficiary being the Certified Gold partners.
Then last year, Microsoft formed the Security Cooperation Program, along with some of the partners it had gathered together to form the SRA. The SCP, the company said, would have the goal of extending the framework to the public and academic sectors. Last January, the Canadian government joined the SCP; and just last May, Microsoft announced it was reforming the SCP framework to encompass the computer emergency response teams (CERT) of governments worldwide. But one beneficiary, again, would be those partners upon whom Microsoft depends.
This morning, the company chose the annual Black Hat convention in Las Vegas to unveil its latest reformation, or variation on a theme. It's calling this the Microsoft Active Protection Program (MAPP), and in a statement this morning, it says the new program "gives security software providers advance information about vulnerabilities addressed by Microsoft security updates. This will allow security software providers to offer protections to customers quickly and effectively."
But how will this new framework be any different than what Microsoft has unveiled every year, often more than once per year, since at least 2003? BetaNews put the question to Microsoft Security Response Center Group Manager Mike Reavey.
"Before Microsoft announced MAPP, security software providers received update information when Microsoft publicly released them in its regularly scheduled monthly bulletin release," Reavey told BetaNews this afternoon. "Microsoft now releases vulnerability reproduction code along with bulletin details to partners in advance of the public release, providing partners sufficient time to test and deploy updates."
So Microsoft will be giving detailed instructions as to how its software may be exploited, to particular partners whom it trusts, in advance of their disclosure to the general public prior to every Patch Tuesday. Those instructions may include proof-of-concept code, which is something Microsoft has apparently never before shared, making this latest iteration of its sharing program a genuine enhancement.
But by simply conveying this information to others, won't MAPP be creating new risks for Microsoft?
"While there are risks incurred by sharing this information early, we believe the risks versus the benefits of protecting customers are balanced," responded Reavey, "and we will continuously evaluate customer and partner feedback on this program."
As Reavey told us, the members of the MAPP program will not, as is the case with SSA or SRA, be a widely dispersed group of Gold Certified partners or TechNet subscribers. MAPP members will be an exclusive group of participants who must themselves be providers of security software, devices, or practices for Microsoft software. They must already have established customer bases, BetaNews was told -- they can't be newcomers to the field. They can't sell tools that could be used in an attack scenario. And when members use the information Microsoft gives them, it must be to create tools that can detect, deter, or defer attacks.
Exactly how far in advance of public disclosure that private partners will be given this information, has not been disclosed, though conceivably that could be determined on a case-by-case basis.
Once information about a vulnerability or potential exploit is disclosed by Microsoft, beginning with a future Patch Tuesday advance bulletin, the company will supplement its reports with a feature it's calling an "Exploitability Index."
In a statement this morning, Microsoft said this index "will provide customers with guidance on the likelihood of functional exploits being developed for vulnerabilities addressed by Microsoft security updates. This additional information helps customers better assess their unique risks and better prioritize deployment of the monthly security update."
But an index is often a relative measure based on a quantifiable assessment; in other words, on a scale of 1 to 10, a "5" really does mean half-way. So exactly how would this index work? Microsoft directed BetaNews to a page which was supposed to have been published today, explaining the index in greater detail; as of this afternoon, that page had been removed, with a link to a ZDNet blog posted in its place.
As Mike Reavey told us, "Microsoft has always provided customers with information on the availability of proof of concept code, exploit code, or active attacks related to our Microsoft security updates at the time of release through Microsoft security bulletins and our monthly security webcast. The Exploitability Index was developed in response to customer requests for additional information to evaluate risk. It will provide new data that customers can use to prioritize the deployment of Microsoft security updates by offering details about how likely the release of functioning exploit code is after a security update is released."
Quantifiable risk evaluation measures have been a key desire of the insurance industry, which has been seeking ways to stratify categories of risk and of data loss due to software vulnerability.
In a blog post this afternoon, MSRC senior program manager Steve Adegbite described MAPP as "a program we created in hopes of actually helping the defenders get a leg up on protecting consumers. The Microsoft Active Protections Program will allow vetted security software providers early access to the technical details on the vulnerabilities we are addressing with each monthly security update. Microsoft is doing this in hopes that we can give the defenders more time to produce timely signatures. Basically, in doing this, we're betting that cutting out the time to reverse engineer our security updates will give valuable time back to the defenders to focus on protection enhancement and faster delivery."