Microsoft to Open Kimono on Security Patches
In a bid to help the security industry stay a step ahead of cyber crooks, Microsoft will release additional details behind the vulnerabilities it patches each month to anti-virus companies and other large vendors of Windows security software.
While Microsoft already provides a brief fact sheet of which components of Windows will be fixed prior to its regular patch releases on the second Tuesday of each month, known as "Patch Tuesday," security vendors say additional details will help them more swiftly update their software to detect the latest attacks.
In particular, software companies rarely have enough time to develop attack "signatures," snippets of code or Internet traffic, that when found on a network or PC could indicate an attacker is trying to leverage the flaws.
Under a new program starting with October's Patch Tuesday cycle, Microsoft will begin releasing technical details that should allow security vendors to very quickly develop those signatures and gain a head start before the crooks learn to exploit the vulnerabilities.
Andrew Cushman, senior director of the Microsoft Security Response Center, stopped short of saying Microsoft would be providing exploit code to vetted vendors.
"We will provide all the technical detail necessary for these protection providers to very quickly develop signatures and updated protections for those vulnerabilities," Cushman said. "The reality is that at 10 a.m. on Patch Tuesday, the bad guys start reverse engineering."
Under the program, anti-virus companies and other vendors would be prohibited from shipping signatures to detect exploits for the new flaws until the updates are released on Patch Tuesday. The concern here, once again, is that crooks could use those signatures to figure out where a flaw is located and how to exploit it, Cushman said.
Microsoft also will be tweaking the security advisories it ships with each patch to include information about how likely it is that bad guys will be able to exploit the flaws. This "exploitability index," Cushman said, will come in three flavors: "Low" means the the vulnerability is either too lame or too difficult to exploit. A "Medium" rating would apply to flaws likely to encourage the development of exploit code, but whose quality and dependability is expected to be iffy at best. A "critical" exploitability rating will be given to holes that are easy to find and exploit across a wide range of Microsoft systems.
Fred Pinkett, vice president of product management for Core Security, a Boston-based security services firm, called the two changes "incremental but important." Pinkett said the changes will help companies better prioritize which vulnerabilities should be patched immediately, and which patches can safely be delayed for testing to ensure they don't break custom software.
As to whether Microsoft's upcoming exploitability index might provide a road map telling bad guys where they should focus their efforts, Pinkett said the information is more useful to the defenders.
"In some ways, Microsoft slapping a "hard to exploit" label on vulnerabilities may encourage some in the research community to prove themselves," Pinkett said. "But as for the really bad, exploitable stuff, the bad guys are going to figure out which ones those are on their own very easily anyways."
Microsoft is expected to announce a third initiative on Thursday at the Black Hat security conference in Las Vegas this week, although it is holding the details of that program very quietly for now. Early rumors were that Microsoft would announce a program to financially reward security researchers who report previously unknown security flaws. But Microsoft's Cushman said that rumor was false.
"As long as I work for Microsoft, we will not pay for bugs," he said.
When security researchers tell Microsoft about flaws they've found and give the company a chance to fix them before going public with the research, Microsoft credits those researchers in its security advisories. Cushman left open the possibility that Microsoft may reward researchers with additional exposure and recognition.
"I believe part of my job in working with the security research community was to figure out how to engage that community in a positive way," Cushman said. "Microsoft has a lot of assets, and we provide attribution in our bulletins. That's an asset that we have and are willing to use."
Note to Readers: Starting at noon, washingtonpost.com is turning off comments on this blog to allow for some software upgrades and other maintenance. Blog entries and comments are expected to resume by late Wednesday afternoon.
Posted by: bobl | August 6, 2008 6:58 PM | Report abuse
Posted by: sc | August 6, 2008 7:10 PM | Report abuse
Posted by: TJ | August 7, 2008 9:18 PM | Report abuse
Posted by: xvdcx | August 8, 2008 12:20 AM | Report abuse
The comments to this entry are closed.