Microsoft's impending announcement at Black Hat on the 7th of this month, titled "Secure the Planet! New Strategic Initiatives from Microsoft to Rock Your World", being delivered by some of the best security names inside Microsoft, has already gained the attention of many in the wider community.
On the surface, Microsoft's described goal, to share vulnerability data with trusted third parties ahead of the expected patch release, is an admirable one. To have the top Information Security companies working to have comparable patches or software updates available for their protective tool suites at the same time as Microsoft releases their core updates means that end users will have a better chance at being protected than if they just ignored the nagging Windows Update and didn't install the patch upon release. That is, assuming that they have one of the participating vendors' tools in use.
Where this will be useful is in the major corporate environment, where system patches, including critical updates, may be delayed by days, weeks, or even months, in order for IT staff to properly carry out regression testing against software, systems and networks in use within the corporate environment. Because more than one patch in the past has been known to break key functionality, most recently the DNS patch broke network access for Zone Alarm users, it would be negligent for administrators not to carry out a thorough period of testing. In these environments, an updated antivirus definitions file is more likely to be rolled out before a system update that arrived at the same time (although they, too, can lead to major system outages).
The goal is to risk manage the window between patch release and widespread exploit attempts and this plan should go a long way to achieving this particular aim, especially with companies such as IBM, Juniper Networks, and 3Com's TippingPoint as part of the program (though TippingPoint has its own early vulnerability sale service, so it will be interesting to see how they incorporate the privileged knowledge being given by Microsoft).
As with everything security, there is another side to consider.
Firstly, companies that develop their own exploits to allow their clients to test against them, such as Core Security and Immunity Inc, are not going to be able to join this program. Even though the rationale for not allowing them access is clearly laid out, it is still going to lead to some unhappy people in the industry.
Probably the biggest hole in the concept is that it only addresses vulnerabilities which have not already been shared openly, or even privately, before being reported to Microsoft. It is not going to do anything for the vulnerabilities that have been discovered in the wild, such as Word vulnerabilities used to penetrate government organisations and companies.
Since responsible disclosure has become a widely accepted method for releasing vulnerability information, the general security picture is going to improve as a result of this approach. However, it would be remiss to ignore the fact that the most risky release environment (exploit well before Microsoft is able to patch) will not be influenced by this program.
What else Microsoft is planning to release we won't know until the presentation takes place later this week.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.