Microsoft has signed on to the concept of industry-coordinated security disclosure with a new initiative it will launch in October.
Dubbed the Microsoft Active Protections Program, the move will make information on Microsoft’s monthly security updates available to a select group of software security vendors before Patch Tuesday. The idea is to give the vendors a leg up on hackers. Under the program, Microsoft will release information such as what conditions have to be present for exploitation and how the vulnerability can be identified.
The move represents a significant change in how Microsoft has done things since it began the monthly updates several years ago, and should aid security vendors scrambling to document vulnerabilities and push out signatures for them to prevent exploitation.
“We release on the second Tuesday of every month, [and] immediately the hackers and defenders start reverse-engineering those patches, and customers immediately start downloading them and evaluating them,” said Andrew Cushman, senior director of the Microsoft Security Response and Outreach Team. “Microsoft’s goal with the Active Protections Program is to give the companies that are providing protections a head start in that race to protections against exploitation.”
In addition, Microsoft is establishing what it calls the Exploitability Index, which will provide ratings based on how likely a vulnerability is to be exploited successfully. It will appear as a new table for each security bulletin. The factors behind the rating include the nature of the vulnerability and how it can be reached.
“The goal here really is to help customers prioritize their deployments,” Cushman said. “We always assume the worst case and the most talented attacker. That was the assumption that we made previously. Here we are going to actually back this up with our research.”
The Exploitability Index will be launched in October as well.