Microsoft Throwing Its Weight Around With Security

At Black Hat last week, Microsoft announced both and expansion and a shift in their approach to vulnerability security information. Microsoft is releasing early information about vulnerabilities addresses in upcoming security patches through a new program called Microsoft Active Protections Program (MAPP). MAPP is a different kind of security information sharing program though -- it's intended for creators of security software which helps protect Microsoft products and environments. The idea is to get vulnerability information into the hands of products like intrusion prevention systems, firewalls and others, before Microsoft releases patch.

Microsoft will now being including something called the Exploitability Index, a measure of how likely an attacker could create exploit code that would actually take advantage and do damage via the vulnerability. I think this is really good idea. IT organizations can better assess risk and prioritize using this Index. If an attacker can p00n a machine with exploit code but they'd have to p00n the rest of the Internet first to do it (clearly, this is a tongue-in-check example), then it's not an exploit you probably have to put as much emphasis on because it's not likely to happen.

Lastly, Microsoft announced Microsoft Vulnerability Research (MSVR), and expansion of their own internal vulnerability lifecycle product research. This program could become quite controversial as Microsoft is now researching and announcing vulnerabilities in third-party products, not just their own. That means Microsoft is not just looking at their own stuff, but at other product companies, including what could be a competitor. Is this a good thing?

Well, it shows that Microsoft must be pretty darned confident about their own internal vulnerability research. You what they say about "glass houses" and all. There must be a good reason for Microsoft introducing this program and I've got to wonder if they've run into enough finger pointing situations with other vendors that this is a way of dealing with it. Or Microsoft's concerned about being painted with a broad brush should a partner's product lead to the compromise of software running on the Microsoft stack. You know us bloggers and the media, we'll go for the jugular, even if there isn't any there.

The MSVR program is one Microsoft will have to do while wearing kit gloves. It would be too easy for Microsoft to be perceived as being heavy handed or singling out a competitor. MSVR could in the end prove to be helpful, or give Microsoft some black eyes. I have to wonder what the larger plan here is for MSVR. It would make more sense if Microsoft were rolling out some type of security certification for vendor products running on Microsoft's stack. We'll have to wait and see on this one.

You can find out more about these new programs at Microsoft's virtual press room for Black Hat.

Oh ya, what about securing the cloud? We haven't heard much from Microsoft about this, at Black Hat or anywhere else.

Like this? Here are some of Mitchell's recent posts.Juniper UAC+NAP Only Part Of Microsoft's StoryDevelopment Costs In The CloudMeet Up At Black HatPodcast: SOA and Web Services, But BizTalk? Do You Trust The Cloud? Symantec & McAfee Finally Get Run For Money Product Reviews: Microsoft Live Mesh Google App Engine Xobni Outlook plugin Recent Converging Network Blog Posts: Get Ready For XaaS Everywhere Unbelievably Bad Web Password Security Back From Hiatus, Saved by Web 2.0 Technology It Takes a Village.. ah, actually, being there first and tons of hard work

Favorite Book Recommendations: The Big Switch Zero Day Attack Clear Blogging

Check out Mitchell's Converging On Microsoft Podcast. Current Podcast Episode: Security Mike Gets Serious About Security

Also visit Mitchell's personal blog The Converging Network, his new blog Breast Cancer For, and SSAATY Security Podcast.Visit Microsoft Subnet for more news, blogs, opinion from around the Web.Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.