Microsoft To Give Early Warning On Security6:35 PM EST Tue. Aug. 05, 2008
In a major shift in its security strategy, Microsoft says it plans to give security software makers an early look at technical details of security vulnerabilities before it releases updates on Patch Tuesday each month.
Microsoft announced the initiative, called the Microsoft Active Protections Program (MAPP), Tuesday at the Black Hat security conference in Las Vegas.
In a Tuesday post to the newly established Microsoft Security Response Center blog, MSRC senior program manager Steve Adegbite explained that the goal of MAPP is to give security vendors more breathing room to produce signatures.
"Basically, in doing this, we're betting that cutting out the time to reverse engineer our security updates will give valuable time back to the defenders to focus on protection enhancement and faster delivery," Adegbite wrote.
Microsoft has also established what it calls an Exploitability Index, which will be part of Patch Tuesday release and will help customers gauge the likelihood that exploits will be developed for the vulnerabilities addressed by Microsoft security updates, according to Adegbite.
Greg Hanchin, a principal at Denver-based security solution provider DirSec, says Microsoft has improved its security efforts in recent years because it has been listening more to the security community.
"How do you take millions of lines of code and make it perfect? It's hard. Microsoft may be slow to change, but once they do, things do improve," Hanchin said.
The predictability of Microsoft's Patch Tuesday release has steadily cut into the lead time from the announcement of a vulnerability to the release of exploit code, Microsoft believes the MAPP program will help reverse this trend.
"It's not enough to point the finger at one entity and say "Fix it." Those of us who belong to the security ecosystem must own the problem, and share in the solution," Adegbite wrote.