Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS To Share Vulnerability Details Ahead of Patches

Posted by timothy on from the keeping-admins-abreast dept.

Bridge to Nowhere writes "ZDNet is reporting that Microsoft will start sharing details on software vulnerabilities with security vendors ahead of Patch Tuesday under a daring new program aimed at reducing the window of exposure to hacker attacks. The new Microsoft Active Protections Program (MAPP) will give anti-virus, intrusion prevention/detection and corporate network security vendors a head-start to add signatures and filters to protect against Microsoft software vulnerabilities."

5 of 27 comments (clear)

  1. I sure hope... by Zygfryd · · Score: 3, Funny

    the Metasploit project gets into this deal!

  2. Leaks guaranteed by SanderDJ · · Score: 5, Insightful
    According to TFA MS has some strict requirements for its intended partners. However, history has shown that the more people know a "secret", the sooner it will be revealed. Not a good thing when fighting zero-day exploits.

    I foresee disasters.

  3. Think game theory by smittyoneeach · · Score: 3, Interesting

    So you publish an occasional 'theoretical' exploit to flush out the amateurs and the unreliable in the circle of trust.
    The truly evil ones who wouldn't fall for a red herring are likely diabolical enough to have infiltrated the information source in the first place.
    Or you could just boot something else.

    --
    Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
  4. This doesn't make sense by jhfry · · Score: 3, Insightful

    Why would MS, if they know about the problem and are planning a patch for it, let the security vendors know. Essentially that would make the vendors a stopgap until the patch is released a few days later.

    Why the hell doesn't MS simply release a stop-gap patch themselves and then finalize it on Tuesday. All this does is shift the blame for a bad fix to the security vendor who has a much smaller understanding of the problem's cause and potential effects.

    I am so tired of shoddy software from the richest company in the world, there is absolutely no excuse for it! With their resources they could develop the OS using the same practices used in medical equipment software and be able to guarantee a neigh 99.9999% uptime... but instead they release crappy code and milk the public for cash.

    I am not a big fan of regulation, however I believe that any company that creates an unsafe product needs to be penalized, even if that product is software. Microsoft has indirectly caused trillions of dollars in lost productivity, theft, vandalisim, security management costs etc... Almost all of which could have been prevented using the resources available to them.

    --
    Sometimes the best solution is to stop wasting time looking for an easy solution.
    1. Re:This doesn't make sense by jhfry · · Score: 3, Interesting

      I do understand the why... but your explaining the why in the current situation that was created by MS's... failures?

      Had MS spent more time developing good software with sane security there would be a far lower amount of risk.

      Besides that, what makes you think that a machine that is unpatched will have current virus definitions. If MS hadn't convinced people that viruses are not the fault of the software vendor and convinced them that they needed special virus protection, people would be much more in the habit of keeping systems patched. If MS didn't force unnecessary and unwanted patches along with the highly important security patches, people would be much more in the habit of keeping systems patched.

      Essentially what MS is doing is suggesting that their patch system is inadequate and instead of fixing it they are going to leave it up to AV vendors to ensure that windows user's operating systems are secure. If you ask me it's absolute bull shit!

      A good system for distributing security patches is not that difficult. A method of ranking patches by risk to operational stability vs risk of attack is not that difficult. A way for an administrator to choose how much risk they are willing to accept is not that difficult.

      So why not have a system where my server can check for new patches every few hours, and those patches include risk scores dependant upon the function of the system... if I want to get all patches and keep myself secure but risk instability I can... if I would rather wait until the patch has been widely deployed and is considered low risk, I can configure that too. Why involve a third party? Why should the security of my operating system be the responsibility of someone who has no control of the internal working of my OS.

      It's easy to justify what MS does, after all Windows is one hell of a complex peice of software. But we are talking about a company that has more resources than many small countries and has their software deployed on Billions of computers world wide. They can do better, and they should!

      --
      Sometimes the best solution is to stop wasting time looking for an easy solution.