|
Microsoft is gearing up to expand its Trustworthy Computing
initiative by sharing more information with end users and with other security
vendors. The Microsoft Exploitability Index and the Microsoft Active Protections
Program (MAPP) will provide new visibility into security vulnerabilities that
affect Microsoft products.
The new initiatives come as Microsoft makes its third appearance at the Black
Hat security conference in Las Vegas, a conference that has in the past offered
up some significant Microsoft vulnerabilities.
"One of the reasons why we're at Black Hat is to hear feedback and make sure
that these programs are as effective as we intend them to be," Mike Reavey group
manager at the Microsoft Security Response Center told InternetNews.com. "The
overall theme of Trustworthy Computing is about continuing to evolve as the
online threats continue to involve and the exploit index and MAPP are examples
of our evolution."
Microsoft's Trustworthy Computing initiative debuted in 2001 as an effort by
Microsoft to restore trust in Microsoft's security practices. One of the items
that came out of the Trustworthy computing initiative is Microsoft's monthly
patch Tuesday update. The new exploitability index will supplement the patch
Tuesday announcement with a new metric that will help users understand the risks
that a given vulnerability may pose.
In order to gauge risk, Microsoft will detail with the exploitability index,
whether or not exploit code exists or is likely to exist for a given
vulnerability. The general idea is to help Microsoft customers to prioritize the
importance of updates based on their likelihood of being exploited.
"The exploitability index is not a hard score, " Reavey commented. "It's more
about providing information."
Reavey explained that Microsoft will look at classifying vulnerabilities into
three broad buckets. The first bucket will be highly exploitable vulnerabilities
where Microsoft is of the opinion that exploit code that will work consistent is
likely to be released inside of the first 30 days of the Microsoft patch being
made available. The second bucked is if there is the possibility of an
inconsistent exploit code that being produced that might work some of the time.
The third bucket will identify vulnerabilities for which Microsoft believes it
is unlikely that exploit code will be released inside of 30 days.
"When we looked at trends for the last two years, we saw that 30 percent of the
vulnerabilities that we had updates for, actually had exploit code of any form,"
Reavey commented.
The Microsoft Active Protections Program (MAPP) will complement the
exploitability index by creating a new community of Microsoft partners that will
be given the details of vulnerabilites before the official patches are released.
Microsoft's plan is to have these partners provide protection in their own
respective products be they intrusion prevention vendors , anti-virus or
otherwise.
Reavey commented that the members of MAPP will also collaborate with Microsoft
on the exploitability index to verify Microsoft's assessment of risk.
Both the MAPP and exploitability index initiatives are expected by Microsoft to
be ready to debut in October of this year. Until then Microsoft is soliciting
security vendors to be part of the MAPP program.
According to Reavey, there is no cost to a security vendor for joining the
program, though a non-disclosure agreement will need to be signed. Though MAPP
participants will get an early look at some vulnerabilities Microsoft will still
be keeping a tight lid on their issues.
"There are no hard timelines yet for when we'll disclose to MAPP," Reavey said.
"But our intent is to provide information, just in time as we want to limit the
time the information is exposed. So likely days and not weeks."
|
