Black Hat: Microsoft Brings Adobe Into Security Program

Adobe will soon be distributing security information through MAPP, the Microsoft Active Protections Program.

Thomas Claburn, Editor at Large, Enterprise Mobility

July 27, 2010

3 Min Read
Dark Reading logo in a gray background | Dark Reading

At the Black Hat USA 2010 conference, Microsoft reviewed the impact of several security initiatives, partnered with Adobe to distribute security information, and attempted to promote greater cooperation in the security community.

The call for cooperation comes amid a growing debate about responsible disclosure, the practice of notifying vendors of flaws in their software prior to public release of that information. The opposing philosophy is full disclosure, which posits that releasing vulnerability information publicly motivates vendors to move more quickly to protect their customers.

Members of Google's security team last week published a blog post calling for an end to the use of the term "responsible disclosure" because it implies that alternatives are irresponsible, and for vendors to fix software bugs faster. Certain Google researchers, as it happens have, have released information about Microsoft vulnerabilities in response to perceived Microsoft foot-dragging.

Microsoft responded two days later with several posts defending its practices. But it did acknowledge that the industry needs to move beyond the debate between responsible disclosure and full disclosure.

Toward that end, Microsoft injected a new term in to the discussion: coordinated vulnerability disclosure (CVD). It's basically responsible disclosure without the judgmental terminology.

"It's largely that shift in mindset," conceded Dave Forstrom, director of Microsoft's Trustworthy Computing Group, in phone interview prior to the conference.

Forstrom says that Microsoft wants to steer clear of the debate so it can focus on trying to serve customers.

"Customers don't care about the competitive differences in the market," he said. "They want to know that vendors are working together to protect them."

Microsoft, says Forstrom, sees the industry moving toward a model that mimics a neighborhood watch."We've reached the point in threat landscape that one company can no longer solve online crime," he said. "No one is really exempt from helping to ensure safety on the Internet."

Toward that end, Microsoft is bringing Adobe into MAPP, a program that provides partners in the security industry with advance notification of vulnerability information.

"For the first time ever, Adobe systems will start to leverage MAPP to push out early warnings of their vulnerabilities," said Forstrom. "Industry-wide, we think this will be a game changer."

Certainly, it could help restore Adobe's image, which has suffered as the ubiquity of its Reader and Acrobat software, not to mention its Flash Player software, has driven malware creators to find and exploit holes in the programs.

Microsoft announced a forthcoming security tool called Enhanced Mitigation Experience Toolkit (EMET) that extends security techniques deployed in recent Microsoft products, such as heap spray allocation and export address filtering, to older software from both Microsoft and third-party vendors.

"The whole purpose of this tool is to offer security mitigations for third-party apps that don't have them," said Forstrom.

EMET is slated for release in August.

Microsoft is also releasing a Microsoft vulnerability research (MSVR) paper and a report titled Building a Safer, More Trusted Internet Through Information Sharing, which provides a review of the impact of several Microsoft security initiatives.

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights