Microsoft Brings Security Outreach Message to Black Hat
Microsoft expands security disclosure program as it tries to work closer with researchers and other software vendors, including Adobe.
LAS VEGAS -- Microsoft is enhancing its outreach this week with a series of expanded initiatives to help improve the security of its applications.
The new initiatives include collaboration with Adobe for helping to disclose security issues as part of the Microsoft Active Protections Program (MAPP). Microsoft is also expanding the protection is makes freely available to its users with an updated version of its Enhanced Mitigation Experience Toolkit (EMET).
Microsoft is announcing the new efforts here at the Black Hat security conference on the second anniversary of the launch of Microsoft MAPP and Exploitability index initiatives at the same conference in 2008.
From the period of October 2008 to June 2010, Microsoft reported 165 exploits rated as the most severe, with consistent exploit code likely to occur.
Microsoft uses the MAPP program to make its detailed security advisory information available to trusted partners as rapidly as possible. The goal of the program is to enable third-party security vendors to quickly deliver their own solutions that protect against threats.
By partnering with Microsoft, Adobe will similarly support third-parties by providing vulnerability information about its product to the 65 MAPP participants.
Jerry Bryant, group manager of Microsoft's Trustworthy Computing Group, declined to comment on whether any money was changing hands between Microsoft and Adobe for the MAPP partnership.
The other new development coming from Microsoft at Black Hat is its EMET 2.0 tool, which provides security mitigation to Microsoft products that for whatever reason cannot be easily patched. EMET 2.0 builds on the previous release, which was a command line tool, with a new graphical user interface.
"EMET is built strictly to try and apply built-in Windows mitigations to apps that don't do it automatically," Bryant said in an interview with InternetNews.com
The disclosure debate
Microsoft is also in the midst of rolling out its new coordinated vulnerability disclosure policy, and is using Black Hat as a venue to help sell its message of working in concert with the research community in providing disclosure about security issues.
"Coordinated disclosure is really not a large departure from our traditional stance on responsible disclosure," Bryant said. "It's an effort to try and get past emotionally laden terms like 'responsible disclosure' that people tend to get hung up on."
Bryant also reiterated Microsoft's stated policy of not paying security researchers for the vulnerabilities they unearth. Other groups including Google, Mozilla and HP's TippingPoint division all pay researchers for security discoveries.
"Over 80 percent of the vulnerabilities that were reported to us were done responsibly and there was no talk of payment," Bryant said.
He added that Microsoft does support security research in other ways, including sponsoring numerous events and conferences, such as Microsoft's own Bluehat event.
Follow eSecurityPlanet on Twitter @eSecurityP.