Microsoft, Adobe Partner on Security Program

Microsoft announced July 28 that Adobe Systems will begin informing vendors of software vulnerabilities via the Microsoft Active Protections Program. The announcement comes in conjunction with the opening of the Black Hat USA security conference, at which Microsoft is unveiling a number of products designed to enhance the security of its platforms and applications.

Originally launched in October 2008, MAPP was built with the intention of delivering vulnerability information to security software vendors ahead of Redmond's regular Patch Tuesday updates. Microsoft claims MAPP has resulted in a decrease in the time needed by IDS/IPS (intrusion detection system/intrusion prevention system) vendors to create protections, as well as allowing smaller vendors to access involved data more quickly.

As part of the program, Adobe will share information about its product vulnerabilities with 65 global MAPP members.

"Microsoft acknowledges that the constantly changing threat landscape requires a new approach to security—collaboration and shared responsibility are key as past individual efforts are no longer enough," Mike Reavey, director of the Microsoft Security Response Center, said in a statement. "We're excited about extending the benefits of MAPP to Adobe users as we've seen clear evidence of its impact in advancing customer protections."

In its own statement, Adobe said MAPP would become "an important part" of the company's product security initiatives.

"Given the relative ubiquity and cross-platform reach of many of our products, as well as the continued shifts in the threat landscape, Adobe has attracted increasing attention from attackers," said Brad Arkin, senior director of product security and privacy at Adobe. "MAPP is a great example of a tried and proven model giving an upper hand to a network of global defenders who all rally behind a shared purpose—protecting our mutual customers."

Microsoft's other July 28 announcements included introducing EMET (Enhanced Mitigation Experience Toolkit), which "brings newer security mitigations to older Microsoft platforms and applications," in the company's words, and blocking targeted attacks.

The security of Adobe's software has become newsworthy of late. In June, the company warned users about a vulnerability affecting Adobe Reader, Flash Player and Acrobat that could be exploited by attackers to either crash or take control of a system.

"We are in the process of finalizing a fix for the issue, and expect to provide an update for Flash Player 10.x for Windows, Macintosh and Linux by June 10, 2010," Adobe wrote in a June 4 advisory. "The patch date for Flash Player 10.x for Solaris is still to be determined. We expect to provide an update for Adobe Reader and Acrobat 9.3.2 for Windows, Macintosh and Unix by June 29, 2010."

In July, Adobe announced that it would add sandboxing technology to Adobe Reader in order to tighten security. This Protected Mode, which will limit the PDF-viewing program's privileges by default and isolate it from other programs on a system, will be included in the next full version of the software.

Beginning in 2009, Adobe institutionalized the reviewing of legacy code in updated applications. More recently, the company instituted a silent updating feature in Reader and Adobe Acrobat, and has scheduled its security updates to coincide with Microsoft's Patch Tuesday.