Black Hat, Las Vegas: Microsoft today released a tool to help programmers, security researchers and malware protection vendors manage risk and discover vulnerabilities in its software.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
It also announced it would make available a spreadsheet to help CIOs measure accurately the cost of evaluating and installing software updates or patches from any software vendor.
Andrew Cushman, senior director of Microsoft's security response centre strategy, said the firm's latest figures showed that 87% of vulnerabilities lay in applications and other software outside the operating system.
He said 91% of attacks tried to exploit vulnerabilities for which a security patch had existed for more than two years.
The Office Visualization Tool (OffViz) will give IT professionals a deeper understanding of the Office binary file format.
This will allow them to identify common vulnerabilities and exposures (CVEs) in Word, Excel and PowerPoint documents and make it easier to identify, deconstruct and repair attacks.
The new tool will help customers and business partners build better products and deeper and more precise signatures, said Andrew Cushman. It will also allow them to develop new techniques for analysing malware and detect suspicious documents, he added.
The patch management spreadsheet, to be released later, came out of Project Quant, a Microsoft-sponsored research project that looked into firms' approaches to managing patches.
The team found no well-defined patch management system, so it developed the 10-stage patch management process life-cycle reflected in the spreadsheet.
"The spreadsheet is a generalised model that reflects industry best practices and can be adapted to different circumstances," Cushman said. "It covers the process from monitoring updates to confirming the complete rollout of the patches. And it's vendor-neutral," he said.