[Infowarrior] - MS giving partners heads-up on security vulnerabilities

Richard Forno rforno at infowarrior.org
Tue Aug 5 18:00:30 UTC 2008 

Microsoft to give partners heads-up on security vulnerabilities
Posted by Elinor Mills 2 comments
http://news.cnet.com/8301-1009_3-10006325-83.html?hhTest=1&part=rss&subj=news&tag=2547-1_3-0-20

Microsoft will be giving companies that sell security software and  
services to its customers a sneak peek at the technical details of the  
vulnerabilities in Microsoft software before the company releases its  
monthly "Patch Tuesday" updates.

The new Microsoft Active Protections Program, set to be announced at  
the Black Hat security conference on Tuesday, is designed to give  
software vendors a chance to prepare updates to their software before  
attackers have a chance to reverse engineer Microsoft's security patch  
and create an exploit.

"It's essentially a race between the attackers and the protectors,"  
said Andrew Cushman, who runs the Microsoft Security Response Center.  
The program will "give a head start to software providers delivering  
security features to our mutual customers."

"It will save (vendors) the work of reverse engineering the patch and  
identifying where the vulnerability is and what triggers the  
exploitability," he said.

Cushman did not say how vendors would be notified or how much lead  
time they would get. Software companies that provide protection  
against host-based or network-based attacks will have to apply for  
membership to the program and be accepted. They and Microsoft will  
then be under mutual non-disclosure agreements, he said.

"The goal is to give it to them so they can have updates available as  
close to 10 a.m. as possible" on the second Tuesday of every month,  
Cushman said.

The program will begin in October. Microsoft has already floated the  
idea by IBM/ISS, TippingPoint and Juniper, he said.

Microsoft also will be providing an Exploitability Index in its  
monthly security bulletins beginning in October that will help  
organizations prioritize vulnerabilities by assigning one of three  
ratings to each one based on the likelihood of exploits being  
developed. The ratings from most severe to least severe are:  
"exploitation is likely to occur and to be reliable," "exploitation is  
likely to occur but with inconsistent reliability" and "exploitation  
is unlikely to occur," according to Cushman.

More information about the Infowarrior mailing list