Microsoftis enlisting the entire computer industry in an
early-warning scheme to fight hackers who wait for its monthly
security patches before releasing exploit code.
At the
Black Hat conference today, Microsoft unveiled two initiatives.
The first, Microsoft Active Protections Programme (MAPP), gives
security software suppliers early information about vulnerabilities
addressed by upcoming security patches so they can adapt their own
products for it. The second, the Exploitability Index, is a risk
assessment for users of how likely it is that hackers will try to
exploit new code.
Mike Reavey, group manager of Microsoft's
security
response centre, said these initiatives were part of the firm's
six-year-old Trustworthy Computing drive. "Even after people have
used our malware removal tools, we're finding one in 123 PCs still
have exploit code on them," he said.
The moves were part of the effort Microsoft had put into its
Secure Software Development Lifecycle, and Entrust, which is an
appeal to the global software industry to sign up to secure coding
practices, said Reavey.
"We are hoping to tip the balance in our favour by beating the
exploits to market."
Reavey said the index would take into account feedback from
software developers and customers in estimating the risk that
malware targeted at any particular piece of code would emerge.
"It's a collaborative tool," he said, adding that Microsoft
would publish the index as part of its monthly security
bulletin.
Hackers often did a side-by-side analysis of new code to see
what had changed, said Reavey. "We're using the same techniques [to
build defences and heal vulnerabilities]."
Graham Cluely, senior technology consultant at
Sophos, said Microsoft "was
making all the right noises".
He added, "We still have to see what they show us, but any
initiative that makes things better for customers is a move in the
right direction."
Cluely recommended that customers use the index to do their own
risk assessment, and act on that rather than the index itself.