News

Microsoft tries collaboration to fix security problems

Ian Grant

Microsoft is enlisting the entire computer industry in an early-warning scheme to fight hackers who wait for its monthly security patches before releasing exploit code.

At the Black Hat conference today, Microsoft unveiled two initiatives. The first, Microsoft Active Protections Programme (MAPP), gives security software suppliers early information about vulnerabilities addressed by upcoming security patches so they can adapt their own products for it. The second, the Exploitability Index, is a risk assessment for users of how likely it is that hackers will try to exploit new code.

Mike Reavey, group manager of Microsoft's security response centre, said these initiatives were part of the firm's six-year-old Trustworthy Computing drive. "Even after people have used our malware removal tools, we're finding one in 123 PCs still have exploit code on them," he said.

The moves were part of the effort Microsoft had put into its Secure Software Development Lifecycle, and Entrust, which is an appeal to the global software industry to sign up to secure coding practices, said Reavey.

"We are hoping to tip the balance in our favour by beating the exploits to market."

Reavey said the index would take into account feedback from software developers and customers in estimating the risk that malware targeted at any particular piece of code would emerge.

"It's a collaborative tool," he said, adding that Microsoft would publish the index as part of its monthly security bulletin.

Hackers often did a side-by-side analysis of new code to see what had changed, said Reavey. "We're using the same techniques [to build defences and heal vulnerabilities]."

Graham Cluely, senior technology consultant at Sophos, said Microsoft "was making all the right noises".

He added, "We still have to see what they show us, but any initiative that makes things better for customers is a move in the right direction."

Cluely recommended that customers use the index to do their own risk assessment, and act on that rather than the index itself.





 

COMMENTS powered by Disqus  //  Commenting policy