This morning at the Black Hat security conference, Microsoft announced two new feature additions to its monthly patch-cycle process. One of those features will be advanced warning and notification to security companies and vendors about the coming patches, while the second is to be an added “Exploitability Index” to the monthly bulletin releases.
Microsoft offers information sharing to security vendors. (IMG:J.Anderson)
“Along with the predictability of Microsoft’s monthly security update process is the emergence of an undesirable cycle — the release of exploit code, related to those updates, sometimes within hours of release,” the American software giant said.
It also added that, by understanding this changing threat environment, Microsoft has moved to offer the Microsoft Active Protections Program (MAPP), which gives security software providers advance information about vulnerabilities addressed by Microsoft security updates.
But will it help? According to TippingPoint, one of the vendors that are an early participant in the MAPP program, it will.
David Endler, senior director of security research for TippingPoint, told IDG News that even a space of twenty-four hours would help his company test and deploy the newest patches.
"In the past few years the tools used by cyber criminals have advanced to the point where hackers can analyze the latest Microsoft patches and then turn out exploit code within a matter of hours," he said, "So Microsoft's plan to give the security industry an early look at technical information on the bugs could be a real help."
While other companies are expected to jump on the bandwagon, the only ones Microsoft confirmed as involved with the MAPP project are IBM, Juniper Networks, and 3Com's TippingPoint division. It is safe to assume the larger security vendors such as Symantec, McAfee, Sophos, Kaspersky, and others will soon join in the fun.
"As security threats become more sophisticated, the global security community must combine its resources and work together to provide maximum security protections to worldwide Internet users," said George Stathakopoulos, general manager of security engineering and communications at Microsoft. "No one organization can counter online attacks alone. Therefore, we must use the combined strength of the industry, partners, customers, and public organizations to build a more secure environment for everyone."
While Stathakopoulos makes a good point, there is still the question of will it help? Sure, advance notice is good, but that will not stop the criminals from doing what they do best, namely reverse-engineering the patches and pushing out exploit code within hours of the patch's release.
The time to patch, because of testing or internal deployment policies that some businesses have, will remain the same -- no matter who gets the advance notice.
What this advanced notice will stop (with luck) are the software meltdowns some of the recent patches from Microsoft have caused, such as issues with ZoneAlarm or Symantec that were in the news recently after consumers installed the normal patches.
In addition to the MAPP project there is also the new Exploitability Index.
Starting with the October security announcement, the Exploitability Index will provide information and scoring on the likelihood of functional exploits being developed for the vulnerabilities addressed by Microsoft.
This is going to be based on the current rating index, such as “Critical” or “Important,” that users currently see. Microsoft said that this additional information would help customers better assess their unique risks and better prioritize deployment of the monthly security update.
"The introduction of these new programs helps address evolving online threats and provides more practical guidance to assess and manage risk," said Andrew Cushman, director of security response and outreach at Redmond-based Microsoft. "In the race between exploit and protection, Microsoft is committed to shifting the advantage to the security industry. The Microsoft Active Protections Program gives security software providers the information and resources they need to help better protect customers."
However, that is the problem. There is no right or wrong way to offer disclosure to the public. While not coming out to say it, this initiative comes at a time when the argument for 'Full Disclosure' is once again at a peak.
Microsoft wants to place itself in the center and not appear to lean one way or another on the disclosure argument. “In the race between exploit and protection…,” is a race no one will win. If you close off disclosure and only report security issues to a vendor, then we're left at the mercy of the vendor to patch the issue, which may or may not happen. If you announce it to the world at the same time as discovery, then you risk exploitation on a large scale, and vendors have no time to patch.
This is why the disclosure methods are what they are today. It is a fair balance. Sadly, there is no real middle ground to reach for, as, no matter what researchers do, they are never going to please everyone.
All of the recent debate over disclosure is related to the DNS issues disclosed by Dan Kaminsky. HD Moore, who helped push exploit code out for the Kaminsky vulnerability, took criticism for his actions. As silly as that sounds, he was attacked for helping people exploit a flaw that could cripple network infrastructures.
What most of the people who attacked him failed to notice was that the attacks that followed on DNS systems shortly after the exploit code release did not use Moore’s Metasploit module. Criminals were using their own attack methods.
Criminals will always have more information then we give them credit for, and they will use that information to exploit every weakness they can. While advance notice is a good way to start the process of matching the information levels that some criminals possess, it is not going to be the single solution that will save us all.
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)