Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/27/2010
07:48 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Black Hat: Microsoft Brings Adobe Into Security Program

Adobe will soon be distributing security information through MAPP, the Microsoft Active Protections Program.

At the Black Hat USA 2010 conference, Microsoft reviewed the impact of several security initiatives, partnered with Adobe to distribute security information, and attempted to promote greater cooperation in the security community.

The call for cooperation comes amid a growing debate about responsible disclosure, the practice of notifying vendors of flaws in their software prior to public release of that information. The opposing philosophy is full disclosure, which posits that releasing vulnerability information publicly motivates vendors to move more quickly to protect their customers.

Members of Google's security team last week published a blog post calling for an end to the use of the term "responsible disclosure" because it implies that alternatives are irresponsible, and for vendors to fix software bugs faster. Certain Google researchers, as it happens have, have released information about Microsoft vulnerabilities in response to perceived Microsoft foot-dragging.

Microsoft responded two days later with several posts defending its practices. But it did acknowledge that the industry needs to move beyond the debate between responsible disclosure and full disclosure.

Toward that end, Microsoft injected a new term in to the discussion: coordinated vulnerability disclosure (CVD). It's basically responsible disclosure without the judgmental terminology.

"It's largely that shift in mindset," conceded Dave Forstrom, director of Microsoft's Trustworthy Computing Group, in phone interview prior to the conference.

Forstrom says that Microsoft wants to steer clear of the debate so it can focus on trying to serve customers.

"Customers don't care about the competitive differences in the market," he said. "They want to know that vendors are working together to protect them."

Microsoft, says Forstrom, sees the industry moving toward a model that mimics a neighborhood watch."We've reached the point in threat landscape that one company can no longer solve online crime," he said. "No one is really exempt from helping to ensure safety on the Internet."

Toward that end, Microsoft is bringing Adobe into MAPP, a program that provides partners in the security industry with advance notification of vulnerability information.

"For the first time ever, Adobe systems will start to leverage MAPP to push out early warnings of their vulnerabilities," said Forstrom. "Industry-wide, we think this will be a game changer."

Certainly, it could help restore Adobe's image, which has suffered as the ubiquity of its Reader and Acrobat software, not to mention its Flash Player software, has driven malware creators to find and exploit holes in the programs.

Microsoft announced a forthcoming security tool called Enhanced Mitigation Experience Toolkit (EMET) that extends security techniques deployed in recent Microsoft products, such as heap spray allocation and export address filtering, to older software from both Microsoft and third-party vendors.

"The whole purpose of this tool is to offer security mitigations for third-party apps that don't have them," said Forstrom.

EMET is slated for release in August.

Microsoft is also releasing a Microsoft vulnerability research (MSVR) paper and a report titled Building a Safer, More Trusted Internet Through Information Sharing, which provides a review of the impact of several Microsoft security initiatives.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29370
PUBLISHED: 2021-04-13
A UXSS was discovered in the Thanos-Soft Cheetah Browser in Android 1.2.0 due to the inadequate filter of the intent scheme. This resulted in Cross-site scripting on the cheetah browser in any website.
CVE-2021-3460
PUBLISHED: 2021-04-13
The Motorola MH702x devices, prior to version 2.0.0.301, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.
CVE-2021-3462
PUBLISHED: 2021-04-13
A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could allow unauthorized access to the driver's device object.
CVE-2021-3463
PUBLISHED: 2021-04-13
A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could cause systems to experience a blue screen error.
CVE-2021-3471
PUBLISHED: 2021-04-13
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.