Microsoft Adds Adobe To Security Early Warning Group

This fall, Adobe will begin sharing vulnerability information with the Microsoft Active Protections Program (MAPP), a two year old group that now includes 65 security vendors. Members of MAPP receive security vulnerability information from the Microsoft Security Response Center (MSRC) in advance of Microsoft’s monthly security update.

By sharing vulnerability details before they're made public, MAPP gives vendors time to develop signatures and updates. This is a pressing concern for Adobe, which in the past few months has been dealing with a flood of critical vulnerabilities in its Reader, Acrobat and Flash Player software.

The ubiquity of Adobe software makes it a perfect target for attackers, and there have been numerous flaws for which exploit code has circulated widely.

"Given the relative ubiquity and cross-platform reach of many of our products, as well as the continued shifts in the threat landscape, Adobe has attracted increasing attention from attackers," said Brad Arkin, senior director of product security and privacy at Adobe, in a statement.

MAPP was designed to counteract the predictability of Microsoft's Patch Tuesday release, which attackers had counted on to quickly develop exploits. By giving vendors more time to protect their customers from emerging threats, MAPP disrupts the timing for miscreants and helps level the playing field.

Peter Bybee, president and CEO of San Diego-based solution provider Network Vigilance, sees Adobe's entry to MAPP as a step in the right direction.

"The types of attack vectors that affect Adobe products are almost impossible for companies to guard against," Bybee said. "They're very signature oriented, and you often have to wait for a patch or have a signature upstream in your IPS or firewall."

"This is good news -- it’s about time they got on board," said Andrew Plato, president of Anitian Enterprise Security, based in Beaverton, Ore. "Adobe has a history of being slow to patch vulnerabilities. This, combined with the ubiquity of Adobe products, has made Adobe products, namely Acrobat, a lucrative attack and infection vector."

Microsoft has come a long way in improving the security of its products, and it's been taking a more aggressive leadership role in the security community. But Microsoft now finds itself enmeshed in the old debate over responsible-versus-full disclosure, and Google is the main reason why.

In June, Tavis Ormandy, a Google security engineer, uncovered a vulnerability in XP's Windows Help and Support Center and reported it to the Microsoft Security Response Center (MSRC). But five days later, Ormandy infuriated Microsoft by going public with proof-of-concept exploit code.

Google is trying to get Microsoft, and the industry as a whole, to toss out the old notion of responsible disclosure on the grounds that vendors use it as a shield while they take their time in fixing flaws in their products.

Google believes that vendors bear much of the responsibility for the proliferation of zero day threats, and it's calling for a 60 day window for vendors to make the needed fixes. Microsoft, meanwhile, says the sheer size of the Windows user base requires it to be careful and avoid rushing out security fixes.

But Microsoft also wants to defuse the loaded nature of the "responsible" part of disclosure in favor of "coordinated" vulnerability disclosure, or CVD.

CVD "is basically founded on the initial premise of Responsible Disclosure, but with a coordinated public disclosure strategy if attacks begin in the wild," Katie Moussouris, senior security strategist at Microsoft, said in a blog post earlier this month.