Microsoft is gearing up to expand its Trustworthy Computing initiative by sharing more information with end users and with other security vendors. The Microsoft Exploitability Index and the Microsoft Active Protections Program (MAPP) will provide new visibility into security vulnerabilities that affect Microsoft products.
The new initiatives come as Microsoft makes its third appearance at the Black Hat security conference in Las Vegas, a conference that has in the past offered up some significant Microsoft vulnerabilities.
“One of the reasons why we’re at Black Hat is to hear feedback and make sure that these programs are as effective as we intend them to be,” Mike Reavey group manager at the Microsoft Security Response Center told InternetNews.com. “The overall theme of Trustworthy Computing is about continuing to evolve as the online threats continue to involve and the exploit index and MAPP are examples of our evolution.”
Microsoft’s Trustworthy Computing initiative debuted in 2001 as an effort by Microsoft to restore trust in Microsoft’s security practices. One of the items that came out of the Trustworthy computing initiative is Microsoft’s monthly patch Tuesday update. The new exploitability index will supplement the patch Tuesday announcement with a new metric that will help users understand the risks that a given vulnerability may pose.
In order to gauge risk, Microsoft will detail with the exploitability index, whether or not exploit code exists or is likely to exist for a given vulnerability. The general idea is to help Microsoft customers to prioritize the importance of updates based on their likelihood of being exploited.
“The exploitability index is not a hard score, ” Reavey commented. “It’s more about providing information.”
Reavey explained that Microsoft will look at classifying vulnerabilities into three broad buckets. The first bucket will be highly exploitable vulnerabilities where Microsoft is of the opinion that exploit code that will work consistent is likely to be released inside of the first 30 days of the Microsoft patch being made available. The second bucked is if there is the possibility of an inconsistent exploit code that being produced that might work some of the time. The third bucket will identify vulnerabilities for which Microsoft believes it is unlikely that exploit code will be released inside of 30 days.
“When we looked at trends for the last two years, we saw that 30 percent of the vulnerabilities that we had updates for, actually had exploit code of any form,” Reavey commented.
The Microsoft Active Protections Program (MAPP) will complement the exploitability index by creating a new community of Microsoft partners that will be given the details of vulnerabilites before the official patches are released. Microsoft’s plan is to have these partners provide protection in their own respective products be they intrusion prevention vendors , anti-virus or otherwise.
Reavey commented that the members of MAPP will also collaborate with Microsoft on the exploitability index to verify Microsoft’s assessment of risk.
Both the MAPP and exploitability index initiatives are expected by Microsoft to be ready to debut in October of this year. Until then Microsoft is soliciting security vendors to be part of the MAPP program.
According to Reavey, there is no cost to a security vendor for joining the program, though a non-disclosure agreement will need to be signed. Though MAPP participants will get an early look at some vulnerabilities Microsoft will still be keeping a tight lid on their issues.
“There are no hard timelines yet for when we’ll disclose to MAPP,” Reavey said. “But our intent is to provide information, just in time as we want to limit the time the information is exposed. So likely days and not weeks.”