August 5th, 2008

Microsoft makes daring vulnerability sharing move

Posted by Ryan Naraine @ 5:40 am

Categories: Anti Virus, Arbitrary Code Execution, Black Hat, Browsers, Data theft, Exploit code, Malware, Microsoft, Patch Watch, Pen testing, Responsible disclosure, Vulnerability research, Zero-day attacks

Tags: Vulnerability, Security Company, Exploit Code, Microsoft Corp., Security, Ryan Naraine

LAS VEGAS — Starting in October, Microsoft will start sharing details on software vulnerabilities with security vendors ahead of Patch Tuesday under a daring new program aimed at reducing the window of exposure to hacker attacks.

The new Microsoft Active Protections Program (MAPP), which will be formally announced at Black Hat USA 2008 here, will give anti-virus, intrusion prevention/detection and corporate network security vendors a headstart to add signatures and filters to protect against Microsoft software vulnerabilities.

The idea is to provide detection guidance ahead of time to help security vendors reproduce the vulnerabilities being patched and ship signatures and detection capabilities without false positives.

According to Mike Reavey, group manager in the MSRC (Microsoft Security Response Center), the new vulnerability sharing program was created to address the situation today where weaponized exploit code is being released to the public before Windows users can test and deploy the Patch Tuesday fixes.

[ SEE: Security is everyone's domain ]

“This is not for the folks that build attack frameworks,” Reavey said, making it clear the MAPP program will not be available for penetration testing firms like Core Security and Immunity Inc., two companies in the business of reverse-engineering patches to create exploits for IDS/IPS and corporate customers.

“The amount of time between the release of a patch and the release of the exploit code [for that patch] continues to shorten and customers have been asking for information to react to this,” Reavey explained.   With MAPP, which launches officially in mid-October, security vendors will have signatures and filters ready to roll alongside the patches, potentially negating any exploit code release.

“We’re limiting that window of danger,” he added.   Microsoft is not saying exactly when the flaw data will be shared but a source tells me security vendors will get at least a 24-hour headstart.

[ SEE: Skeletons in Microsoft’s Patch Day closet ]

The move is not without major risk.   As everyone knows, vulnerability data is big business and the specter of a rogue employee with access to what amounts to zero-day vulnerabilities is a scary thought.  What happens if the information flowing through MAPP is being siphoned off and sold to malicious attackers?

Reavey acknowledges the risk and insists Microsoft will tightly lock down access to the program and implement measures to identify potential leaks.  Participants in the program must sign NDAs and have a significant enough customer base for protection-oriented software.

[ SEE: Punditry: Will Microsoft buy flaws? ]

Some criteria for participants in MAPP include:

• Members must offer commercial protection features to Microsoft customers against network- or host-based attacks.
• Members must provide protection features to a large number of customers.
• Members may not sell attack-oriented tools.
• Protection features provided by members must detect, deter or defer attacks.

Confirmed participants in the new program include IBM Corp., Juniper Networks and 3Com TippingPoint.  Correction: I’m not yet aware of any participants.  Apologies.