Black Hat: Microsoft Brings Adobe Into Security Program

At the Black Hat USA 2010 conference, Microsoft reviewed the impact of several security initiatives, partnered with Adobe to distribute security information, and attempted to promote greater cooperation in the security community.

The call for cooperation comes amid a growing debate about responsible disclosure, the practice of notifying vendors of flaws in their software prior to public release of that information. The opposing philosophy is full disclosure, which posits that releasing vulnerability information publicly motivates vendors to move more quickly to protect their customers.

Members of Google's security team last week published a blog post calling for an end to the use of the term "responsible disclosure" because it implies that alternatives are irresponsible, and for vendors to fix software bugs faster. Certain Google researchers, as it happens have, have released information about Microsoft vulnerabilities in response to perceived Microsoft foot-dragging.

Microsoft responded two days later with several posts defending its practices. But it did acknowledge that the industry needs to move beyond the debate between responsible disclosure and full disclosure.

Toward that end, Microsoft injected a new term in to the discussion: coordinated vulnerability disclosure (CVD). It's basically responsible disclosure without the judgmental terminology.

"It's largely that shift in mindset," conceded Dave Forstrom, director of Microsoft's Trustworthy Computing Group, in phone interview prior to the conference.

Forstrom says that Microsoft wants to steer clear of the debate so it can focus on trying to serve customers.

"Customers don't care about the competitive differences in the market," he said. "They want to know that vendors are working together to protect them."

Microsoft, says Forstrom, sees the industry moving toward a model that mimics a neighborhood watch."We've reached the point in threat landscape that one company can no longer solve online crime," he said. "No one is really exempt from helping to ensure safety on the Internet."

Toward that end, Microsoft is bringing Adobe into MAPP, a program that provides partners in the security industry with advance notification of vulnerability information.

"For the first time ever, Adobe systems will start to leverage MAPP to push out early warnings of their vulnerabilities," said Forstrom. "Industry-wide, we think this will be a game changer."

Certainly, it could help restore Adobe's image, which has suffered as the ubiquity of its Reader and Acrobat software, not to mention its Flash Player software, has driven malware creators to find and exploit holes in the programs.

Microsoft announced a forthcoming security tool called Enhanced Mitigation Experience Toolkit (EMET) that extends security techniques deployed in recent Microsoft products, such as heap spray allocation and export address filtering, to older software from both Microsoft and third-party vendors.

"The whole purpose of this tool is to offer security mitigations for third-party apps that don't have them," said Forstrom.

EMET is slated for release in August.

Microsoft is also releasing a Microsoft vulnerability research (MSVR) paper and a report titled Building a Safer, More Trusted Internet Through Information Sharing, which provides a review of the impact of several Microsoft security initiatives.