At the Black Hat computer security conference in Las Vegas on Tuesday, Microsoft introduced new initiatives to help IT administrators evaluate vulnerabilities in Microsoft software and to share information with other security vendors.
The Microsoft Exploitability Index aims to "provide customers with additional information to help business professionals prioritize patching," explained Mike Reavey, security program manager for Microsoft Security Response Center.
The Exploitability Index is Microsoft's attempt to deal with what has become an unfortunate, predictable pattern: Microsoft issues a Security Bulletin and cybercriminals answer with code designed to exploit the newly disclosed vulnerabilities.
Starting with its October patch cycle, Microsoft plans to rate the likelihood that vulnerabilities will be exploited. It will do so to help administrators prioritize patches.
Vulnerabilities will be rated with one of three designations: Consistent Exploit Code Likely, Inconsistent Exploit Code Likely, and Functioning Exploit Code Unlikely. The first designation describes a vulnerability that would produce consistent results if exploited; the second designation describes a vulnerability that is difficult to exploit or would produce inconsistent results; the third designation describes a vulnerability that would be very difficult to exploit and thus might not warrant an immediate patch.
Fred Pinkett, VP of product management at Core Security, believes the additional information Microsoft plans to provide may be useful, if it's accurate. "We will have to watch over time how it correlates to other ratings and rankings and whether it offers new information or reiterates the existing rankings," he said in an e-mail. "More importantly, we'll have to watch over time to see if it's an accurate forecast of exploitability, which may prove difficult."
Microsoft also said it has opened the Microsoft Active Protections Program to security vendors who want access to Microsoft patch information before it gets released to the public.
To enroll in MAPP, which begins in October, companies must offer a defensive commercial security product or service to a large number of customers. Microsoft did not say how it defines "a large number of customers." Makers of attack-oriented tools need not apply. Interested companies should e-mail firstname.lastname@example.org for further information.
Reavey said that these two new programs represent a continuation of Microsoft's six-year-old Trustworthy Computing initiative. He said that Microsoft has been making progress in its effort to make computing more secure and pointed to figures from Microsoft's malicious software removal tool that show that Windows Vista machines need to be disinfected 60% less than PCs running Windows XP.
However, Reavey acknowledged there's still work to be done because one out of every 123 PCs scanned by Microsoft's malicious software has to be disinfected. "The customer pain is still there," he said.
Managing risk is the top security issue facing IT professionals, according to the 2008 InformationWeek Strategic Security Survey. The survey of 2,000 IT professionals also found that many are concerned with government or industry regulations that may not give adequate guidance on how to comply. You can learn more about the InformationWeek Strategic Security Survey by purchasing an InformationWeek (registration required).