Microsoft to give vendors an early peek at patches

Microsoft plans to give security vendors a head start in what has become a monthly race against the hackers.

Starting in October, the company will provide security vendors with early access to technical details of its monthly security patches before the software updates are actually released. This will give the companies that write attack-blocking code a bit of a cushion as they write and test their security software.

Microsoft calls this initiative the Microsoft Active Protections Program (MAPP) and says that participating companies must sell commercial Windows security products and have a large customer base -- and no, sellers of attack-based penetration testing tools are not invited.

Early participants include IBM, Juniper Networks, and 3Com's Tipping Point division, but other companies are expected to sign up.

In the past few years the tools used by cyber criminals have advanced to the point where hackers can analyze the latest Microsoft patches and then turn out exploit code within a matter of hours, so Microsoft's plan to give the security industry an early look at technical information on the bugs could be a real help, said David Endler, senior director of security research for TippingPoint.

Even if TippingPoint gets the information just a day before the patches are released, it will be able to use the extra time to write and then test its filtering software, Endler said. "24 hours is a huge help."

Microsoft also plans to give regular users a little more help too, by beefing up its public security bulletins with information on whether or not hackers are likely to actually write malicious software that exploits the flaws that Microsoft patches each month.

The company already measures the severity of its security bugs, rating them "critical," "important," "moderate" or "low," but starting in October the company will add this new Exploitability Index information.

The vulnerabilities listed in Microsoft's bulletins will be rated as "Consistent Exploit Code Likely," "Inconsistent Exploit Code Likely," or "Functioning Exploit Code Unlikely."

This Exploitability Index system will make it easier for customers to decide which patches to install first by giving Windows users a better idea of which bugs Microsoft finds most worrying. The index will separate the flaws that will simply cause a system crash from more serious bugs that could be used to give attackers control of a victim's machine.

Microsoft has vowed to discuss three new security programs at this week's Black Hat security conference in Las Vegas. A spokesman for the company's public relations firm declined to say what else might be in store.

The IDG News Service is a Network World affiliate.