At a major computer security conference in Las Vegas today, Microsoft is announcing new efforts to characterize computer security threats.
Microsoft regularly issues security bulletins and fixes for its software on the second Tuesday of each month, known as “patch Tuesday.” But often, hackers are able to quickly use the patches to engineer attacks before IT departments can implement the fixes.
A new Exploitability Index is designed to help IT pros prioritize those updates. The index will “provide customers with guidance on the likelihood of functional exploit code being developed for vulnerabilities addressed by Microsoft security updates.”
Beginning in October, Microsoft will rate whether an exploit of the vulnerabilities it identifies is unlikely or likely. If it’s likely, Microsoft will also rate whether an attack could consistently or inconsistently exploit the vulnerability.
Microsoft also plans to alert security software providers ahead of “patch Tuesday,” so they can prepare tools that may help customers defend against attacks. Microsoft acknowledged that this effort, known as Microsoft Active Protections Program (MAPP), involves sharing sensitive security information. Software vendors have to apply to become part of the program and meet certain criteria. One of these: “Members may not sell attack-oriented tools.” That’s good.
Ryan Narine, writing on ZDNet’s Zero Day blog, points out that the program still poses “major risk.”
“As everyone knows, vulnerability data is big business and the specter of a rogue employee with access to what amounts to zero-day vulnerabilities is a scary thought. What happens if the information flowing through MAPP is being siphoned off and sold to malicious attackers?”
A Microsoft Security manager tells him the company “will tightly lock down access to the program and implement measures to identify potential leaks. Participants in the program must sign NDAs and have a significant enough customer base for protection-oriented software.”
Meanwhile, for the non-IT staff, here’s a handy reminder from Consumer Reports of what not to do online to keep your computer safe and identity protected.