Microsoft says security programs are paying off

One year after launching three security programs designed to improve security industry-wide, Microsoft is finding that more security patches are beating exploits out the door.

Meanwhile, the Microsoft Security Response Center said that of the 50 security bulletins it published from October 2008 to June 2009, patches were released in response to 138 vulnerabilities. Of those, 17 had public exploit code available at the time of the release, and for 67, consistent exploit code was likely to be written, according to the software giant.

In the 50 security bulletins published from October 2008 to June 2009, Microsoft released security updates in response to 138 vulnerabilities; these updates resulted in 140 Exploitability Index ratings.

(Credit: Microsoft)

The news comes after Microsoft announced on Friday that it would be releasing security updates on Tuesday--outside of its monthly patch cycle--for a critical vulnerability in Internet Explorer and a moderate vulnerability in Visual Studio.

Meanwhile, Microsoft has yet to plug a critical ActiveX hole in Office that it warned two weeks ago attackers were exploiting to take control of PCs by luring Internet Explorer users to malicious Web sites. It was the third zero-day hole announced by Microsoft in less than two months.

In August 2008, the Microsoft Security Response Center announced three security programs to help improve security for customers, partners, and others. The company issued a progress report on Monday in advance of the Black Hat security conferences set to begin on Tuesday in Las Vegas.

Through its Microsoft Active Protections Program (MAPP), Microsoft supplies vulnerability information to 45 partners prior to the monthly Microsoft Patch Tuesday security updates. MAPP partner and network security provider Sourcefire issues protections based on the information for about 95 percent of the monthly Microsoft security bulletins.

Before MAPP, it took about eight hours to reverse-engineer, develop proof-of-concept code, and build the exploit detection for a vulnerability, which is about the time it takes for a savvy attacker to generate exploit code after a vulnerability has been disclosed, Microsoft said.

Now, it takes only about two hours, according to Sourcefire. Sourcefire developers only have to write the detection code because Microsoft provides the rest, meaning that patches are typically released hours ahead of any exploits, Microsoft said.

In estimating how exploitable vulnerabilities are, Microsoft said it has had a 99 percent reliability rate. Of 140 ratings in the Microsoft Exploitability Index, also released last year, there has only been one revision that dropped the severity of the vulnerability, the company said.

For the third program, Microsoft Vulnerability Research (MSVR), Microsoft researchers work to find holes in third-party software. From June 2008 until June 2009 the MSVR team identified software vulnerabilities affecting 32 vendors, Microsoft said.

Of the holes found in the outside software, 86 percent were critical or important and 13 percent have been fixed, while 5 percent are in the process of being resolved, according to Microsoft. The MSVR team and Microsoft security researcher Billy Rios were credited with finding holes recently fixed in the Apple Safari browser.

"We're seeing attacks get more complex," said Mike Reavey, director of the Microsoft Security Response Center. "There's a race between attackers and defenders and collaboration is needed in the industry."

Microsoft is unveiling this week Microsoft Office Visualization Tool, which offers a graphical view of Office binary file formats so programmers can better see where vulnerabilities and malware might be embedded within an Office document.

Microsoft also is announcing Project Quant, an online spreadsheet tool designed to help IT administrators estimate the costs associated with software update management.

[monkeyfun14]

Watch the trolls roll in

[Perry_Clease]

I'll start. :)<br /><br />I cracked up when I read the headline because it sounded as if the "security programs" are "paying off" protection money to MicroSoft. Just some word play from watching too much Sopranos.

[bananaphonerules]

Please Cerry: dont comment anymore.

[baconstang]

Wouldn't want to disappoint. Happy Monday!

[Perry_Clease]

"Please Cerry: dont comment anymore."<br /><br />I will not comply with that request

[shellcodes_coder]

It's much easier to exploit security holes in mac os x than in Windows Vista and 7. Hackers have proven it. So this doesn't apply to CrApple's crap os x

[Random_Walk]

Well, at least they're starting to actually do more than just count vulns... 'course, I noticed that they didn't segregate local vs. remote exploits. I wonder why...

[pentest]

Too bad UAC in 7 is completely broken. Once you allow a program to install, the UAC whitelists it and can start other programs without any warning to the poor sucker using it. That means that any program installed that is exploitable, can be exploited and the user will never know.<br /><br />Given that Windows is exploited at least once a minute, your claim about some very unrealistic competitions ring hollow.

[santuccie]

@Penguinisto:<br /><br />I don't have a list, but would imagine that most of them are remote exploits. That said, it's difficult to tell in this context. To refer to an individual parasite as an "exploit" would implicate a remote code execution attack; to talk about "public exploit code" could go either way. It could mean code to exploit an Office vulnerability, and it could mean a bona fide exploit.<br /><br />@pentest:<br /><br />I'm pretty sure I've discussed UAC with you before. It is not Vista's or W7's primary defense; in fact, it was designed to nudge developers to digitally sign their applications. That said, UAC in Windows 7 can be switched back up to "always notify." BTW, when you say "exploited once a minute," are you referring to XP? If not, then you must be talking about Trojans, and maybe a locally executed virus or two. I service PCs, and am still waiting to see Conficker or any other drive-by downloading malware on a Vista/W7 unit. You'll see Waledac here and there, as well as the occasional rogue antispyware that takes advantage of naive users by tricking them into clicking "fix now" in a scareware popup.<br /><br />I must say, "pentest" is a most ironic name for you, because you don't seem to know anything about hacking. You are oblivious to what ASLR and DEP mean, and your tone suggests that the authentication mechanisms in the other two mainstream OSes are actually stronger than UAC, which is contrary to reality. I know most Linux distros have more than just authentication, but Mac OS does not (until Snow Leopard, which adds only ASLR). Kudos on your aspiration, but you've got a long way to go before you can call yourself a hacker.

[santuccie]

BTW, Windows 7 will add more security features, including Safe Unlinking and behavior monitoring. Also, should one activate XP mode, it will be almost impossible for a hardware-assisted rootkit to install.<br /><br />http://securitywatch.eweek.com/microsoft_windows/touting_possible_benefits_of_windows_7_security.html<br />http://blog.purewire.com/bid/18281/The-Security-Impact-of-Windows-7-Adoption

[santuccie]

Oops! Sorry, I overlooked the date on the comments I was responding to.

[pentest]

Look at all this time, money, and effort spent by MS as perimeter defenses around a crappy, insecure foundation.<br /><br />MS still doesn't get it. A system that is secure from the ground up doesn't need all this extra cruft.<br /><br />All they do is throw more band aids on a patient that is already on life support, and many of those band aids are holey, and infected.<br /><br />Every single "security" feature in Vista has been broken. MS's response to their retarded UAC in Vista has been to make it completely worthless in 7.<br /><br />Nothing has changed at MS and likely never will. Incompetent to the end.

[atriusNY]

Why don't you gve us some examples to enlighten us?

[santuccie]

@atriusNY:<br /><br />He can't; he's only pretending to know what he's talking about (see comments just above). This is the guy who bashes Microsoft for the inherent insecurity of XP, which (as with previous versions) was designed for compatibility and defaults to root accounts. He blames them for failing to address drive-by downloads, when they didn't even exist at that time! This is also the guy who continues to claim that IIS (Windows Server) Web sites are compromised MORE than Apache (Linux) sites; actually Apache sites are defaced about 2-1/2 times as often as IIS sites, when they're not even 1-1/2 times as prevalent:<br />http://4sysops.com/archives/iis-websites-are-14-times-more-secure-than-apache-sites/<br /><br />@pentest:<br /><br />I see you're still comparing the latest Unix-based operating systems against eight-year-old Windows XP. You're not talking about Vista, because it beats Mac OS X security by a landslide, and is believed by some to be tougher than any Linux distro as well. Don't know how many times I've told you that W7's UAC can always be turned back up to "always notify," or how many times I've told you that authentication is all you know about because it IS the primary defense mechanism of most Unix-based OSes, and HARDLY "secure from the ground up," LOL.<br /><br />Don't quit your day job, kid. You're no penetration tester.

[santuccie]

Oops! Sorry, I overlooked the dates on the comments I was responding to.