Microsoft says Adobe will begin informing vendors of software vulnerabilities via the Microsoft Active Protections Program. Adobe's product security has been a focus of late.
Microsoft announced July 28 that Adobe Systems will begin informing vendors
of software vulnerabilities via the Microsoft Active Protections Program. The
announcement comes in conjunction with the opening of the Black Hat USA security conference, at which
Microsoft is unveiling a number of products designed to enhance the security of
its platforms and applications.
Originally launched in October 2008, MAPP was built with the intention of
delivering vulnerability information to security software vendors ahead of Redmond's
regular Patch Tuesday updates. Microsoft claims MAPP has resulted in a decrease
in the time needed by IDS/IPS (intrusion
detection system/intrusion prevention system) vendors to create protections, as
well as allowing smaller vendors to access involved data more quickly.
As part of the program, Adobe will share information about its product
vulnerabilities with 65 global MAPP members.
"Microsoft acknowledges that the constantly changing threat landscape requires
a new approach to security-collaboration and shared responsibility are key as
past individual efforts are no longer enough," Mike Reavey, director of
the Microsoft Security Response Center, said in a statement. "We're
excited about extending the benefits of MAPP to Adobe users as we've seen clear
evidence of its impact in advancing customer protections."
In its own statement, Adobe said MAPP would become "an important
part" of the company's product security initiatives.
"Given the relative ubiquity and cross-platform reach of many of our
products, as well as the continued shifts in the threat landscape, Adobe has
attracted increasing attention from attackers," said Brad Arkin, senior
director of product security and privacy at Adobe. "MAPP is a great
example of a tried and proven model giving an upper hand to a network of global
defenders who all rally behind a shared purpose-protecting our mutual
Microsoft's other July 28 announcements included introducing EMET (Enhanced
Mitigation Experience Toolkit), which "brings newer security mitigations
to older Microsoft platforms and applications," in the company's words,
and blocking targeted attacks.
security of Adobe's software has become
newsworthy of late. In June, the company warned users about a
vulnerability affecting Adobe Reader, Flash Player and Acrobat that could be
exploited by attackers to either crash or take control of a system.
"We are in the process of finalizing a fix for the issue, and expect to
provide an update for Flash Player 10.x for Windows, Macintosh and Linux by June 10, 2010," Adobe
wrote in a June 4 advisory. "The patch date for Flash Player 10.x for
Solaris is still to be determined. We expect to provide an update for Adobe
Reader and Acrobat 9.3.2 for Windows, Macintosh and Unix by June 29, 2010."
In July, Adobe announced that it would add sandboxing
technology to Adobe Reader in order to
tighten security. This Protected Mode, which will limit the PDF-viewing
program's privileges by default and isolate it from other programs on a system,
will be included in the next full version of the software.
Beginning in 2009, Adobe institutionalized the reviewing of legacy code in
updated applications. More recently, the company instituted a silent updating
feature in Reader and Adobe Acrobat, and has scheduled its security updates to
coincide with Microsoft's Patch Tuesday.
Nicholas Kolakowski is a staff editor at eWEEK, covering Microsoft and other companies in the enterprise space, as well as evolving technology such as tablet PCs. His work has appeared in The Washington Post, Playboy, WebMD, AARP the Magazine, AutoWeek, Washington City Paper, Trader Monthly, and Private Air. He lives in Brooklyn, New York.