Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Microsoft to share vulnerability data. Will you be rocked?

Later tonight, Microsoft, at the Black Hat conference, is scheduled to outline a new approach to vulnerability management which will include sharing vulnerability data with other vendors before the patches arrive.

Microsoft's impending announcement at Black Hat on the 7th of this month, titled "Secure the Planet! New Strategic Initiatives from Microsoft to Rock Your World", being delivered by some of the best security names inside Microsoft, has already gained the attention of many in the wider community.

On the surface, Microsoft's described goal, to share vulnerability data with trusted third parties ahead of the expected patch release, is an admirable one. To have the top Information Security companies working to have comparable patches or software updates available for their protective tool suites at the same time as Microsoft releases their core updates means that end users will have a better chance at being protected than if they just ignored the nagging Windows Update and didn't install the patch upon release. That is, assuming that they have one of the participating vendors' tools in use.

Where this will be useful is in the major corporate environment, where system patches, including critical updates, may be delayed by days, weeks, or even months, in order for IT staff to properly carry out regression testing against software, systems and networks in use within the corporate environment. Because more than one patch in the past has been known to break key functionality, most recently the DNS patch broke network access for Zone Alarm users, it would be negligent for administrators not to carry out a thorough period of testing. In these environments, an updated antivirus definitions file is more likely to be rolled out before a system update that arrived at the same time (although they, too, can lead to major system outages).

The goal is to risk manage the window between patch release and widespread exploit attempts and this plan should go a long way to achieving this particular aim, especially with companies such as IBM, Juniper Networks, and 3Com's TippingPoint as part of the program (though TippingPoint has its own early vulnerability sale service, so it will be interesting to see how they incorporate the privileged knowledge being given by Microsoft).

As with everything security, there is another side to consider.

Firstly, companies that develop their own exploits to allow their clients to test against them, such as Core Security and Immunity Inc, are not going to be able to join this program. Even though the rationale for not allowing them access is clearly laid out, it is still going to lead to some unhappy people in the industry.

Probably the biggest hole in the concept is that it only addresses vulnerabilities which have not already been shared openly, or even privately, before being reported to Microsoft. It is not going to do anything for the vulnerabilities that have been discovered in the wild, such as Word vulnerabilities used to penetrate government organisations and companies.

Since responsible disclosure has become a widely accepted method for releasing vulnerability information, the general security picture is going to improve as a result of this approach. However, it would be remiss to ignore the fact that the most risky release environment (exploit well before Microsoft is able to patch) will not be influenced by this program.

What else Microsoft is planning to release we won't know until the presentation takes place later this week.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: 3Com, 3Com, IBM, Juniper, Juniper Networks, Microsoft, Rock, TippingPoint, TippingPoint, Zone Alarm
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • Staying Secure and Preventing Data Leaks in a Cloud-obsessed World
    If your organisation is to benefit from this explosive growth, it needs to be able to exploit all that the cloud has to offer. But at the same time, it is vital to protect your company’s employees, networks, data and reputation from the risks that exist in the cloud.
    Learn more »
  • Botnets: The dark side of cloud computing
    Botnets pose a serious threat to your network, your business, your partners and customers. Botnets rival the power of today’s most powerful cloud computing platforms. These “dark” clouds, controlled by cybercriminals, are designed to silently infect your network. Left undetected, botnets borrow your network to serve malicious business interests. This paper details how you can protect against the risk of botnet infection using security gateways that offer comprehensive unified threat management (UTM).
    Learn more »
  • Protecting Against the Leading Causes of Data Breach
    This whitepaper was written for the organisation that wants to focus on prevention of data loss and doesn’t have millions to spend, but needs affordable solutions that can be implemented today to protect millions of sensitive records and dollars worth of intellectual property. This whitepaper addresses: - What organisations can do to prevent the four leading causes of data breaches - Why dedicated (pure-play) DLP solutions may not protect you from all four leading causes of data breaches - How to get prevent sensitive data leaving your organisation
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.