At the Black Hat security conference on Wednesday, Microsoft and Adobe announced they were dramatically expanding their relationship in order to better protect users against electronic threats. Now, Adobe will provide vulnerability information about its products via Microsoft's Active Protections Program (MAPP) to security solution vendors, as does Microsoft. Adobe is the first third party vendor to provide this crucial information, which will help security software makers more rapidly address new threats.
"Given the relative ubiquity of many of our products, Adobe has attracted increasing attention from attackers," Adobe senior director Brad Arkin said. "We are committed to our customers' security at every level and are excited to leverage MAPP as an important part of our overall product security initiative. MAPP is a great example of a tried and proven model giving an upper hand to a network of global defenders who all rally behind a shared purpose: protecting our mutual customers."
Microsoft launched MAPP in 2008 as a way to facilitate early vulnerability information sharing with its partners, and today there are over 65 companies participating in the program. In a briefing this week, Microsoft described MAPP as a "game changer that reduces the time for partners to develop responses to emerging security threats."
Previous to MAPP, security vendors would have to use publicly disclosed information about threats to reverse engineer fixes. It created a situation where Microsoft's Patch Tuesday was followed by "Exploit Wednesday," because it was far easier for hackers to exploit the just-announced vulnerabilities than it was for security vendors to respond to those vulnerabilities.
Now, with Adobe's participation, both Microsoft and Adobe will be providing security vendors with information about vulnerabilities before the fixes are made public. The goal is to end "Exploit Wednesdays" because the vendors' customers will already be protected.
Microsoft also talked up the latest security bugaboo at Black Hat--the debate between those who feel that security vulnerabilities should be disclosed immediately and without context and those, like Microsoft, which feel that there is a more responsible way to disclose this information. Microsoft is calling on the broader security community to move to a model of coordinated vulnerability disclosure and believes that everyone involved needs to accept some responsibility for how (and when) this information is communicated.
Microsoft didn't specifically address the recent impetus for this discussion, but let's just say that hundreds of millions of Windows users are currently at risk of being exploited by a "zero-day" vulnerability because the person who discovered it has different ideas around responsibility and disclosure. "We must work together to improve the security of the entire ecosystem," a Microsoft statement reads, "and, as always, making customer protection our highest priority."
Microsoft also announced an interesting new free security tool at Black Hat. The Enhanced Mitigation Experience Toolkit (EMET) provides newer security features--like DEP and ASLR--to older Microsoft platforms and applications, the company says. It will ship in August.