Microsoft Security Alert Program Sets Example for Infrastructure Vendors

Microsoft is starting its Active Protections Program to give anti-virus, intrusion prevention system and network security vendors a heads up about security fixes in advance of patch Tuesday. Other infrastructure vendors such as Sun Microsystems and Apple could benefit users by following suit with similar programs.

When Microsoft announced plans Aug. 5 to share information on vulnerabilities with security software vendors as part of the Microsoft Active Protections Program, the company underscored what could be a shift to a new era of cooperation in the name of security.

In light of the largely successful coordinated release of patches for the much-publicized domain name system (DNS) flaw, it is time for infrastructure vendors to embrace cross-vendor cooperation.

The idea behind the Active Protections Program, which is slated to launch in October, is to give anti-virus, intrusion prevention system and network security vendors a heads-up on patches and vulnerabilities prior to Patch Tuesday. According to Microsoft officials, the predictability of the company's monthly security update process has had an unintended result-the release of exploit code tied to Patch Tuesday updates, sometimes within hours of the patches.

As an answer to the so-called "Exploit Wednesday" phenomena, the company offers the Microsoft Active Protections Program, which it contends will give security vendors the ability to offer protections to customers faster. There is also the Microsoft Vulnerability Research Program, in which the company will work with independent software vendors (ISVs) to uncover vulnerabilities and protect mutual customers. These will include vulnerabilities found internally through Microsoft's army of researchers or vulnerabilities brought to Microsoft by outsiders, which would then be passed on to the affected third-party vendor.

The company's decision to share comes after the virtually unprecedented level of cooperation between vendors including Microsoft, Sun Microsystems and others to coordinate patch releases for the DNS flaw uncovered by security researcher Dan Kaminsky. In that case, vendors began working together in March to come up with a solution to the problem. Though there was plenty of dissention initially due to the reluctance of those involved to provide details of the flaw, many in the security community applauded the handling of the situation.

Such cooperation is refreshing, given that members of the user community benefit from having the most protection possible sooner. As an operating system vendor, Microsoft is well positioned to be a central player in this new game-as are companies like Apple and Sun Microsystems.

"Every infrastructure vendor should follow Microsoft's lead in giving a heads up to discovered vulnerabilities," said Eric Ogren, an analyst with The Ogren Group. "There has been way too much finger-pointing to be healthy. The customer business is vulnerable up and down the stack-you don't get full value out of removing an operating system vulnerability if an attack can waltz in through an application, and vice-versa. Security professionals have a responsibility to ensure that information is shared to remove as many vulnerabilities as possible."

Gartner analyst John Pescatore raised the specter of possible conflicts of interest for Microsoft due to its Forefront product. For example, in the case of the Microsoft Vulnerability Research program, Microsoft could use its position to encourage ISVs to share information with them so that Microsoft security product engineers will have it in advance of Microsoft's competitors, he argued.

Still, the more eyes there are looking for vulnerabilities the better off all of us are, and the Active Protections Program could help security vendors better deal with blended threats.

"I think Microsoft gets the blame every time there is a vulnerability discovered - even if the security hole exists in third party software," Ogren said. "I'd prefer to think that Microsoft is assuming the responsibility that the customers expect from infrastructure vendors."