Microsoft will be giving companies that sell security software and services to its customers a sneak peek at the technical details of the vulnerabilities in Microsoft software before the company releases its monthly 'Patch Tuesday' updates.
The new Microsoft Active Protection Program, set to be announced at the Black Hat security conference on Tuesday, is designed to give software vendors a chance to prepare updates to their software before attackers have a chance to reverse-engineer Microsoft's security patch and create an exploit.
"It's essentially a race between the attackers and the protectors," said Andrew Cushman, director of the Microsoft Security Response Center. The programme will "give a head start to software providers delivering security features to our mutual customers".
"It will save [vendors] the work of reverse-engineering the patch and identifying where the vulnerability is and what triggers the exploitability," he said.
Cushman did not say how vendors would be notified or how much lead time they would get. Host- and network-based software providers will have to apply for membership to the program. They and Microsoft will then be under mutual non-disclosure agreements, he said.
"The goal is to give it to them so they can have updates available as close to 10am as possible" on the second Tuesday of every month, Cushman said.
The program will begin in October. Microsoft has already floated the idea by IBM ISS, TippingPoint and Juniper, he said.
Beginning in October, Microsoft also will be providing an 'exploitability index' in its monthly security bulletins that will help organisations prioritise vulnerabilities by assigning one of three ratings to each one.
The ratings, from most severe to least severe, are: 'Exploitation is likely to occur and to be reliable'; 'Exploitation is likely to occur but with inconsistent reliability'; and 'Exploitation is unlikely to occur'.
Leave a comment