News

Microsoft Program Will Report Adobe Software Flaws

• By Kurt Mackie
• 07/28/2010

The Microsoft Active Protections Program (MAPP) will start to share software vulnerability information from Adobe sometime this fall, Microsoft announced today.

Brad Arkin, Adobe's senior director of product security and privacy, noted that "Adobe has attracted increasing attention from hackers," in a released statement. In joining MAPP, Adobe will share its software vulnerability information with the 65 members of the organization worldwide.

MAPP members are software companies partnering with Microsoft that share vulnerability information prior to Microsoft's monthly security patch releases, according to Microsoft's "Building a Safer, More Trusted Internet Through Information Sharing" document, which can be downloaded here (PDF). Adobe's participation in the program likely will help better alert software companies that rely on Adobe solutions, allowing more time to block exploits.

The MAPP program is part of a triad of security programs announced by Microsoft in August of 2008 that also includes the "Microsoft exploitability index" and "Microsoft vulnerability research" efforts.

The exploitability index is Microsoft's prioritization guidance for its security updates, which come with severity ratings such as "critical," "important," "moderate" or "low." Severity ratings are often a bone of contention among security experts. Microsoft claims it has revised an exploitability index rating only once.

Microsoft's vulnerability research program is an effort that lends Microsoft's security expertise to other software vendors producing solutions that run on Windows. The program has flagged 35 different vulnerabilities affecting 19 software vendors since July of 2009, according to Microsoft's "Trusted Internet" document. Nearly half (45 percent) of the vulnerabilities have been resolved since that time, but "the remaining 55 percent continue to await the release of a security update from the vendor." More details on Microsoft's vulnerability research program are described in a Microsoft white paper, which can be downloaded here.

Adobe's participation with Microsoft comes as no surprise as the two companies have been announcing close collaboration efforts of late, including the sharing of Microsoft's sandbox security technology in Adobe Reader. The announcement comes as Microsoft participates this week at the Black Hat conference in Las Vegas.

Another Microsoft security related announcement today is the forthcoming release in August of the Enhanced Mitigation Experience Toolkit 2.0. This free tool helps to protect applications by shoring up common attack pathways used by malware.

Earlier this week, Microsoft announced that it had changed its policy on how flaws in software should be reported. It switched from a "responsible disclosure" policy to one called "coordinated vulnerability disclosure." The difference between the two policies is fairly miniscule, except that Microsoft plans to publicly disclose details of an exploit when "active attacks" are happening.

Microsoft will not pay researchers for disclosing security flaws in Microsoft's software under the new coordinated vulnerability disclosure policy, according to Roger Halbheer, Microsoft's worldwide chief security advisor, in a blog post.