Microsoft also provided updates on the three security collaboration programs it first announced last year at Black Hat, the Microsoft Active Protections Program (MAPP), the Microsoft Exploitability Index, and the Microsoft Vulnerability Research (MSVR) program, as well as Project Quant, which represents an effort to create metrics and quantify the cost and efficiency of an organization's security patching process.
The announcements, which Microsoft made at Black Hat USA in Las Vegas today, came amid the backdrop of two out-of-band patches the software giant said it will issue tomorrow -- one for a recently revealed bug in Visual Studio, and another for Internet Explorer. "While this release is to address a single, overall issue, in order to provide the broadest protections possible to customers, we'll be releasing two separate security bulletins," said Mike Reavey, director of the Microsoft Security Response Center in a blog post today.
Microsoft won't divulge details about the patch, but Reavey said the Visual Studio update will "address an issue that can affect certain types of applications," and the IE update will add defense-in-depth changes to Internet Explorer "to help provide additional protections for the issues addressed by the Visual Studio bulletin," as well as fix critical bugs unrelated to the Visual Studio bug.
Microsoft was alerted a year ago about the unpatched video control flaw in versions of Windows XP and Windows Server 2003 that had been actively exploited in a wave of attacks around the world -- including on some .org and .com sites -- during the past few weeks. The software giant issued an advisory on the flaw, as well as a workaround, telling users to set a "kill bit" for the Video ActiveX Control as an interim solution.
Meanwhile, Microsoft's new Microsoft Office Visualization Tool (OffVis) tool is aimed at helping quell targeted Office attacks. Andrew Cushman, senior director of Microsoft Security Response Center strategy, says the free tool is another weapon to defeat format-based software vulnerabilities and exploits, and will help organizations better understand and protect themselves from targeted, Office-based attacks.
"It lets them quickly identify if there's malicious content inside a file. This is helpful for IT administrators if they need to create signatures, and for researchers who want to reverse-engineer or unpack malicious software," Cushman says. "It allows a novice user to understand the complexities of binary file formats."
The tool can tell whether the structures of an Office document are legitimate or contain malicious code. "You could use it during an attack or in a [forensics] investigation," Cushman says.
Microsoft also published the Microsoft Security Update Guide, which lets customers better navigate the Microsoft update process and information the company provides for patches and threats.
Cushman says 47 companies are in the MAPP program, in which Microsoft shares vulnerability data early with third-party software developers so they can get a jump on protecting their own applications that could be affected. "This lets them focus on signatures and testing and delivering signatures the same day the updates come out," he says. "They don't have to do any heavy reverse-engineering."
All of these programs fall into Microsoft's strategy of teaming with other security and software vendors to combat the latest threats. "This is about community-based defense. You can't do this in isolation," Cushman says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.