Black Hat, Las Vegas: Microsoft today
released a tool to help programmers, security researchers and
malware protection vendors manage risk and discover vulnerabilities
in its software.
It also announced it would make available a spreadsheet to help
CIOs measure accurately the cost of evaluating and installing
software updates or patches from any software vendor.
Andrew Cushman, senior director of Microsoft's security
response centre strategy, said the firm's latest figures showed
that 87% of vulnerabilities lay in applications and other software
outside the operating system.
He said 91% of attacks tried to exploit vulnerabilities for
which a security patch had existed for more than two years.
The Office Visualization Tool (OffViz) will give IT
professionals a deeper understanding of the Office binary file
format.
This will allow them to identify common vulnerabilities and
exposures (CVEs) in Word, Excel and PowerPoint documents and make
it easier to identify, deconstruct and repair attacks.
The new tool will help customers and business partners build
better products and deeper and more precise signatures, said Andrew
Cushman. It will also allow them to develop new techniques for
analysing malware and detect suspicious documents, he added.
The patch management spreadsheet, to be released later, came out
of
Project Quant, a Microsoft-sponsored research project that
looked into firms' approaches to managing patches.
The team found no well-defined patch management system, so it
developed the 10-stage patch management process life-cycle
reflected in the spreadsheet.
"The spreadsheet is a generalised model that reflects industry
best practices and can be adapted to different circumstances,"
Cushman said. "It covers the process from monitoring updates to
confirming the complete rollout of the patches. And it's
vendor-neutral," he said.