Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Microsoft Revamps Patch Tuesday Warning Process

Software giant will share vulnerability data early with third parties, create 'Exploitability Index' for newly found flaws

LAS VEGAS -- Black Hat USA 2008 -- As hackers and researchers get ready to unveil their latest vulnerability findings here, Microsoft today announced that it is improving its methods for sharing and categorizing the vulns that affect Windows and its other applications.

"The introduction of these new programs helps address evolving online threats and provides more practical guidance to assess and manage risk," said Andrew Cushman, director of security response and outreach at Microsoft. "In the race between exploit and protection, Microsoft is committed to shifting the advantage to the security industry."

Microsoft launched the Microsoft Active Protections Program (MAPP), which gives security software providers "advance information" about the vulnerabilities addressed by Microsoft security updates. By sharing its vulnerability findings with third-party security vendors earlier, the software giant hopes to speed the development and delivery of patches and updates that address those flaws.

Microsoft also introduced its "Exploitability Index," which is designed to help users handicap the likelihood that a newly announced vulnerability will immediately result in active exploits by hackers. The Exploitability Index will be included as part of Microsoft’s monthly Patch Tuesday security bulletin releases, beginning in October.

The Exploitability Index might help users decide how swiftly they need to issue the patches that Microsoft issues each month. Currently, the software giant rates vulnerabilities on a scale of "critical," "serious," and so forth. The new index will rate vulnerabilities as "consistent exploit code likely," "inconsistent exploit code likely," or "functional exploit code unlikely."

"This additional information helps customers better assess their unique risks and better prioritize deployment of the monthly security update," Microsoft said.

"The [current] MSRC Bulletin Severity Rating system assumes that exploitation will be successful" a Microsoft spokesperson explained. "For some vulnerabilities where exploitability is high, this assumption is very likely to be true for a broad set of attackers. For other vulnerabilities where exploitability is low, this assumption may only be true by a dedicated attacker putting a lot of resources into ensuring their attack is successful.

"Microsoft will never recommend customers not to deploy an update, regardless of the Bulletin Severity rating or Exploitability Index," the spokesperson continued. "However, this information can assist sophisticated customers prioritize their approach to each month’s release."

The MAPP progrom will enable security software providers to be briefed on Microsoft's vulnerability findings before they are made public, speeding the development of patches and updates, the company said. However, the company isn't allowing researchers into the program. In order to join, a member must "offer commercial protection features to Microsoft customers" to a large number of customers. Members may not sell attack-oriented tools, the company said.

Microsoft will be blogging and offering its own views on the Black Hat conference this week through a new offering called the Microsoft Black Hat pressroom.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-16
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused att...
PUBLISHED: 2021-05-16
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the othe...
PUBLISHED: 2021-05-16
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.