Adobe has joined Microsoft’s MAPP program, which provides members with information about security vulnerabilities before Microsoft releases its monthly patches.
This will let Adobe, which has been plagued by security flaws, notify MAPP members about vulnerabilities in its apps so they can fix those problems more quickly.
Separately, Microsoft has announced a coordinated vulnerability disclosure program which will let anyone who discovers security flaws report them directly to a CERT-CC or other coordinator so vendors of the affected products get the information in time to fix the problem.
Microsoft also released several resources to help customers make informed decisions about security and manage their risk.
Gimme Shelter
Microsoft announced the tie-in with Adobe on Wednesday at the Black Hat USA 2010 conference.
Joining the Microsoft Active Protections Program (MAPP) lets Adobe piggyback on the bulletins Microsoft sends out about newly discovered vulnerabilities in its own applications to the program’s 65 global members, which are security vendors. These bulletins are sent out far enough ahead so MAPP members can fix those vulnerabilities before Microsoft issues its regular monthly patches.
“By sharing Adobe vulnerability information with MAPP members prior to the public release of a security update, we give security providers an early start over exploit code writers, enabling them to offer protection to our mutual customers in a timely manner,” Adobe’s Wiebke Lips wrote about the tie-in.
“Adobe is the first company to publish security information on their own products through what, until now, has been an exclusively Microsoft program,” Andrew Storms, director of operations at nCircle, told TechNewsWorld.
MAPP members include Cisco, Symantec and McAfee, Dave Forstrom, director of Microsoft’s trustworthy computing group, told TechNewsWorld. However, Adobe won’t exactly be a member of the program.
“Adobe is not part of that group of 65, as it’s partnering with Microsoft to share early warning details of vulnerabilities with them,” Forstrom pointed out.
The Road to Rehabilitation
Adobe has been plagued by security vulnerabilities, and its Flash Player is among the favorite vectors of attack used by hackers and malware developers because it’s so widespread. Hackers also like attacking through PDF files for the same reason.
Flash has been exploited enough by cybercriminals that Apple CEO Steve Jobs publicly mentioned its security vulnerabilities in an open letter earlier this year.
“I think only Adobe has been as popular as Microsoft with cybercriminals,” Roel Schouwenberg, a senior antivirus researcher with Kaspersky Lab Americas, said.
Teaming up with Microsoft to provide advance warning of security flaws may help Adobe restore its reputation.
“This is a smart move on Adobe’s part, and it may eventually help them rehabilitate their tattered security reputation,” nCircle’s Storms pointed out.
“The advantage for Adobe is that this move will make it much easier for security companies to create reliable detection and mitigation strategies for flaws in its products,” Schouwenberg told TechNewsWorld.
The team-up with MAPP is Adobe’s second major security move this month. A week ago, Adobe introduced Adobe Reader Protected Mode. This is based on Microsoft’s Practical Windows Sandboxing technique, and prevents hackers from accessing a user’s computer through PDF files.
One Big Happy Anti-Cybercriminal Family
At the Black Hat conference, Microsoft also pushed its coordinated vulnerability disclosure approach to fighting cybercrime.
This calls for anyone who discovers new vulnerabilities to disclose the information directly to the vendors of the affected products or to a CERT coordination center or other coordinator.
The CERT coordination center, or CERT/CC, identifies and addresses existing and potential security threats; notifies system administrators and other technical personnel of those threats; and coordinates with vendors and incident response team worldwide to address those threats.
This early disclosure will give the affected vendor enough time to diagnose and offer fully tested updates, workarounds or other corrective measures before detailed vulnerability or exploit information is made public, Forstrom said.
Who’s to Blame?
Perhaps the move is a response to Google researcher Tavis Ormandy’s public disclosure in June of a security flaw in Microsoft’s Help and Support Center in Windows XP and Windows server 2003. Microsoft suggested workarounds that drew criticism from the security community because they led to other problems.
“Microsoft is attempting to get a broader consensus in responsible disclosure by eliminating the hot button of calling irresponsible people like Tavis Ormandy irresponsible,” opined Randy Abrams, director of technical education at ESET. “Ormandy’s recent irresponsible disclosure put millions at risk for the sole purpose of inflating his ego while helping a few good guys, a ton of bad guys, and putting many in harm’s way.”
However, Redmond has to share part of the blame for people publicly disclosing information about vulnerabilities and exploits before the affected vendors have addressed these, Abrams told TechNewsWorld.
“The responsible disclosure process is, to a large degree, a problem Microsoft participated in creating with years of irresponsible reactions to responsible disclosure,” Abrams pointed out. “Microsoft has dramatically improved the appropriateness of its responses to vulnerabilities, but it takes a lot longer to rebuild than to tear down.”