Microsoft Works to Put the Clamps on 'Exploit Wednesday'

Published: August 6, 2008

by Alex Woodie

Microsoft took two steps yesterday to help thwart the "Exploit Wednesday" events following the monthly "Patch Tuesday" releases. At the annual Black Hat USA conference this week in Las Vegas, the company announced a new program to share details of newly patched vulnerabilities with software vendors before sharing them with the public and malware writers. It also unveiled a new "vulnerability index" to provide more detail on the relative danger that each newly discovered flaw poses.

It really is a predictable result: Announce the details of security vulnerabilities at a pre-determined interval, and sooner or later, hackers and malware writers will set their watches by it, eager to feed at the trough of security flaws and the easy passage into millions of PCs that they guarantee.

This has been the pattern over the last few years for Microsoft, whose Patch Tuesday security events on the second Tuesday of every month is often followed by an Exploit Wednesday the following day, as the software underground moves quickly to reverse engineer the security patches and develop ways to exploit the vulnerabilities they address.

Sometimes, it takes just a few hours for malware writers to get exploit code onto the Web following the public Patch Tuesday disclosure. This has given a new definition to the term "zero day exploit," which originally was coined to refer to vulnerabilities for without patches. The problem is that many customers haven't applied Patch Tuesday patches by Exploit Wednesday.

Microsoft is now saying "enough is enough" to this pattern. On Tuesday it unveiled the new Microsoft Active Protections Program (MAPP) that's designed to give software vendors a head start against the criminally motivated and fast-working hackers.

"Before this program, security software providers waited until the public release of a security update before building protections," Microsoft says in a FAQ accompanying the MAPP announcement. "By obtaining early access to this information, security software providers can deliver protection features to customers more quickly."

The delivery of the MAPP program is a de-facto admission by Microsoft that the security status quo is not working. As a result, the company is entrusting the security community--including developers of antivirus, intrusion detection, intrusion protection, Web and application firewall systems, and so-called "white hat" hackers--to help it protect Windows users.

Put another way, Microsoft is saying that users are not up to the task themselves. It's really not surprising that Windows users don't apply Patch Tuesday patches that very day, but the reality is that it does put them at risk when exploit code goes up for sale the following day, or even earlier. Surveys have confirmed that users are not so good at applying their patches from Microsoft and other vendors.

This is not Microsoft's fault. In recent quarters, Microsoft and other researchers have reported that the rate of security vulnerability discoveries actually decreased in 2007. However, as organized crime makes its way into the business and works to bring increasingly sophisticated development tools and techniques to bear on the task of exploiting security flaws for monetary gain, the underground network of black hat hackers and malware writers has gotten really good at turning flaws into cash, and doing so quickly.

"No one organization can counter online attacks alone," said George Stathakopoulos, general manager of security engineering and communications at Microsoft, in the announcement. "Therefore, we must use the combined strength of the industry, partners, customers, and public organizations to build a more secure environment for everyone.”

Microsoft didn't share a lot details about the criteria needed to gain access into the MAPP program, other than to say they must make security software, have a "large number" of customers, and they must not make attack tools. Interested parties are encouraged to e-mail the company at mapp@microsoft.com.

Presumably, the vendor won't be handing out MAPP passes to anybody claiming to be a security software vendor. After all, as the title of this week's hacking conference shows--as well as the hubbub over the dissemination of details of the recently discovered DNS flaw--there is a somewhat grayish line separating sides in the hacking community, and a fuzzy understanding of what bolsters the Internet's security, and what hurts it.

As a proprietary software vendor, Microsoft's tendency is toward keeping things hush-hush and quietly rolling out fixes when it's ready. This doesn't appear to be working very well anymore, so it's refreshing to see Microsoft try other approaches.

The new "Exploitability Index" should also shine more light on the security work Microsoft is doing. Previously, the software giant used a tiered approach to assessing the potential harm that a vulnerability could do. Patches that fix the most dangerous remotely exploitable problems were deemed "critical," while those that took more work to exploit were given "important" and "moderate" ratings.

When the new Exploitability Index debuts in October, Microsoft will implement a new three-tiered system intended to communicate the likelihood that each vulnerability could be exploited. The three levels--Consistent Exploit Code Likely, Inconsistent Exploit Code Likely, and Functioning Exploit Code Unlikely--will accompany each patch distributed by Microsoft.

RELATED STORIES

Patches? We Don't Need No Stinkin' Patches: Survey

Decline In Vulnerabilities Belies Threat Increase, Microsoft Says in New Security Report

Surf's Up for Web-Based Organized Crime, IBM X-Force Says

Bleak Outlook for Information Security, According to Researchers

In Search Of a More Secure Internet

Security Attacks and Breaches on the Rise

MPack Hacker Tool Claims 10,000 Compromised Web Sites

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot