Heading into yet another annual Black Hat USA conference during which its products will no doubt be publicly hacked, cracked and attacked by numerous security researchers looking to show off their latest techniques, Microsoft is highlighting advancement of a trio of initiatives introduced last year aimed at helping to foster better information sharing among vendors and researchers regarding product vulnerability issues.
On the eve of Black Hat USA 2009, being held this week at Caesar’s in Las Vegas, the software giant issued a white paper calling out progress within its Microsoft Active Protections Program (MAPP), Microsoft Exploitability Index and Microsoft Vulnerability Research (MSVR) efforts, all of which were first introduced to the public in late 2008 as Microsoft continued to expand its interaction with the vulnerability researchers and ethical hacking community embodied by the Black Hat audience.
Just several years ago it was considered big news that Microsoft was merely willing to send members of its Windows product development team to Black Hat to speak about some of the internal processes it had introduced to attempt to drastically improve security of its next-generation Vista operating system and ubiquitous Office solutions.
Today, Microsoft has fostered a security effort that in some manners rivals the expertise of some of the largest, most established companies in the business, including Symantec and McAfee, having poached some of the most recognizable researchers from those very vendors and seemingly made good on the initial promise of its Trusted Computing initiative to radically improve its overall security standing.
The three programs introduced in 2008 have had a positive effect on Microsoft’s collaboration around the dissemination of vulnerability data with its vendor partners, security technology providers and the vulnerability research community itself, the company claims in its report.
Microsoft still grapples with some hefty Patch Tuesday deliverables and Windows technologies remain squarely in the crosshairs of millions of attacks, but “progress is being made towards a safer, more trusted Internet,” Microsoft experts said in the paper.
“Yet increased information sharing can help further advance this progress and better protect mutual customers from threats in the ecosystem,” the company acknowledged in a report summary.
Continuing its ongoing work to “develop better community-based defenses, increase help to resolve vulnerabilities in highly leveraged third-party code running on the Windows platform, and empower customers with information that helps them make better risk assessments,” will be crucial to achieving its overall goal with the initiatives, the company said.
Of MAPP, which is meant to streamline the delivery of Microsoft vulnerability information to security software vendors prior to Microsoft’s monthly Patch Tuesday release, the company cited progress including:
â¢The inclusion of over 45 individual vendors worldwide in the effort. â¢A trickle down process through which many smaller vendors are getting their hands on the involved data faster. â¢A 75 percent decrease in the amount of time it takes IDS/IPS vendors to create protections for reported vulnerabilities.
The Exploitability Index, launched in Oct. 2008 and included as part of the Patch Tuesday release, is meant to help offer greater insight into the severity of individual vulnerabilities to aid end users and the security industry in aligning defenses and prioritizing risks. Achievements related to the vulnerability rating system charted by Microsoft include:
â¢A 99 percent reliability rating for the initiative in terms of estimating exploitability. â¢Only one revision to its ratings for the 140-plus examples it has already issued.
Related to the company’s MVSR efforts, aimed at improving the security of third-party software running on the Windows platform, Microsoft cited highlights including:
â¢Identification of vulnerabilities affecting the products of 32 different vendors. â¢A rating of “critical” or “important” having been attached to 86 percent of those reports. â¢Having 13 percent of the vulnerabilities discovered via the program fixed. â¢Participating in the initial reporting of a security flaw in rival Apple’s Safari browser.
Many Black Hat attendees will no doubt point out that many, if not most of the vulnerabilities being exploited by experts at the conference this week will in some manner relate directly to Microsoft products, or those of its partners.
However, there’s no questioning that the company has made headway with security, most dramatically around shifting perceptions of how much it truly cares about the matter.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.