MS To Share Vulnerability Details Ahead of Patches

Bridge to Nowhere writes "ZDNet is reporting that Microsoft will start sharing details on software vulnerabilities with security vendors ahead of Patch Tuesday under a daring new program aimed at reducing the window of exposure to hacker attacks. The new Microsoft Active Protections Program (MAPP) will give anti-virus, intrusion prevention/detection and corporate network security vendors a head-start to add signatures and filters to protect against Microsoft software vulnerabilities."

Think game theory

[smittyoneeach]

So you publish an occasional 'theoretical' exploit to flush out the amateurs and the unreliable in the circle of trust.
The truly evil ones who wouldn't fall for a red herring are likely diabolical enough to have infiltrated the information source in the first place.
Or you could just boot something else.

Re:This doesn't make sense

[jhfry]

I do understand the why... but your explaining the why in the current situation that was created by MS's... failures?

Had MS spent more time developing good software with sane security there would be a far lower amount of risk.

Besides that, what makes you think that a machine that is unpatched will have current virus definitions. If MS hadn't convinced people that viruses are not the fault of the software vendor and convinced them that they needed special virus protection, people would be much more in the habit of keeping systems patched. If MS didn't force unnecessary and unwanted patches along with the highly important security patches, people would be much more in the habit of keeping systems patched.

Essentially what MS is doing is suggesting that their patch system is inadequate and instead of fixing it they are going to leave it up to AV vendors to ensure that windows user's operating systems are secure. If you ask me it's absolute bull shit!

A good system for distributing security patches is not that difficult. A method of ranking patches by risk to operational stability vs risk of attack is not that difficult. A way for an administrator to choose how much risk they are willing to accept is not that difficult.

So why not have a system where my server can check for new patches every few hours, and those patches include risk scores dependant upon the function of the system... if I want to get all patches and keep myself secure but risk instability I can... if I would rather wait until the patch has been widely deployed and is considered low risk, I can configure that too. Why involve a third party? Why should the security of my operating system be the responsibility of someone who has no control of the internal working of my OS.

It's easy to justify what MS does, after all Windows is one hell of a complex peice of software. But we are talking about a company that has more resources than many small countries and has their software deployed on Billions of computers world wide. They can do better, and they should!