ABC News
August 5, 2008 6:00 AM PDT

Microsoft to give partners heads-up on security vulnerabilities

Posted by Elinor Mills
  • Font size
  • Print

Microsoft will be giving companies that sell security software and services to its customers a sneak peek at the technical details of the vulnerabilities in Microsoft software before the company releases its monthly "Patch Tuesday" updates.

The new Microsoft Active Protections Program, set to be announced at the Black Hat security conference on Tuesday, is designed to give software vendors a chance to prepare updates to their software before attackers have a chance to reverse engineer Microsoft's security patch and create an exploit.

"It's essentially a race between the attackers and the protectors," said Andrew Cushman, who runs the Microsoft Security Response Center. The program will "give a head start to software providers delivering security features to our mutual customers."

"It will save (vendors) the work of reverse engineering the patch and identifying where the vulnerability is and what triggers the exploitability," he said.

Cushman did not say how vendors would be notified or how much lead time they would get. Software companies that provide protection against host-based or network-based attacks will have to apply for membership to the program and be accepted. They and Microsoft will then be under mutual non-disclosure agreements, he said.

"The goal is to give it to them so they can have updates available as close to 10 a.m. as possible" on the second Tuesday of every month, Cushman said.

The program will begin in October. Microsoft has already floated the idea by IBM/ISS, TippingPoint and Juniper, he said.

Microsoft also will be providing an Exploitability Index in its monthly security bulletins beginning in October that will help organizations prioritize vulnerabilities by assigning one of three ratings to each one based on the likelihood of exploits being developed. The ratings from most severe to least severe are: "exploitation is likely to occur and to be reliable," "exploitation is likely to occur but with inconsistent reliability" and "exploitation is unlikely to occur," according to Cushman.

Click here for full coverage of Black Hat 2008.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Topics:

News

Tags:

security,

Microsoft,

Black Hat 2008

Share:
Digg
Del.icio.us
Reddit
Recent posts from Security
Study: Data breaches rose in 2008
Fake celeb LinkedIn profiles lead to malware
Hackers hit MacRumors keynote coverage
Alarm systems at risk: UL establishes a higher security requirement for magnetic switches
Twitter phishing scam may be spreading
'Curse of silence' smartphone flaw disclosed
Defense contractors eye cybersecurity bonanza
Web browser flaw could put e-commerce security at risk
Add a Comment (Log in or register) 4 comments
by n3td3v August 5, 2008 8:17 AM PDT
Verbal contracts of non-disclosure agreements don't work, you need a new law in place, which I call the responsible disclosure act, http://seclists.org/fulldisclosure/2008/Jul/0439.html to enforce the agreement by a law if the agreement is broken. Or are you guys just gonna do another "oops the cat's out the bag" again like what happened with the verbal contract agreement Dan Kaminsky had with everyone before a blog entry leaked the vulnerability by *accident*. Is this Microsoft agreement of non-disclosure actually enforceable by any current law? If not a new law is needed to be drawn up, see the link above, or this "Microsoft Active Protection Program" is gonna turn out a complete shambles.
Reply to this comment
by The_Decider August 9, 2008 9:53 AM PDT
You are missing the point. It doesn't matter if a researcher publishes details about yet another MS flaw. Some black hat will find it and exploit it before MS fixes it.

"Responsible disclosure" is just a buzzword for corporations not wanting to take responsibility.
by jcorio August 5, 2008 10:11 AM PDT
Yeah... but this isn't like the whole Matasano/Kaminsky thing... these are actual businesses that have partnered together previously and have well vetted non-disclosure agreements and contracts in place. These are (and have been many times) enforcable by law.
Reply to this comment
by The_Decider August 5, 2008 11:19 AM PDT
If it was to be announced at Black Hat, then why did they announce it earlier?

This is a positive development, however, wouldn't it be better if MS spent their time creating an OS that isn't exploited every minute of every day?
Reply to this comment
advertisement

In the news now

Apple: DRM-free tunes, unibody MacBook Pro

roundup At Macworld, Phil Schiller touts 10 million songs sans DRM, plus 69-cent songs, a unibody 17-inch notebook, iLife updates, and more.


Countdown to CES

special coverage The tech community descends on Las Vegas as the Consumer Electronics Show gets ready to kick off in all its gadgety glory.


About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement

Inside CNET News

Scroll Left Scroll Right
News
Site map
Latest news
Business tech
Green tech
Wireless
Security
Popular topics
Apple iPhone
Apple iPod
CES
Cell phones
Dell
GPS
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
Corrections
Customer Help Center
RSS
CNET Widgets
About CNET