MSRC Progress Report Shows Continued Progress of MSRC Key Initiatives

Today, the MSRC released its third annual progress report highlighting advancements of key Microsoft programs designed to help prevent and defend against online threats. The Microsoft programs featured in this paper include the following:

• The Microsoft Active Protections Program (MAPP) and Microsoft Vulnerability Research (MSVR) programs are intended to help protect customers through innovative industry collaboration and information sharing.
• The Exploitability Index provides additional information to help customers better prioritize the deployment of security updates.
• Our approach to Coordinated Vulnerability Disclosure describes how Microsoft – and other software vendors who have adopted a similar approach – wants to work with the finders of software vulnerabilities.

Each of these programs has experienced significant progress over the past year – from the introduction of a revised Exploitability Index rating system to a 29% increase in MAPP program membership. Microsoft will continue to refine these programs based on customer and industry feedback. Full details are available in the report itself – download a copy and get the full story on the MSRC’s progress since Black Hat 2010.

Some highlights from the report:

• MAPP now has 84 security companies participating worldwide, providing protections for hundreds of millions of customers every month.
• The recently revised Exploitability Index rating for security bulletins can help to significantly reduce the need to urgently deploy all security updates.
• Of the 605 Exploitability Index ratings issued from October 2008 to June 2011, only 5 have been revised. Four of those revisions have involved a reduction in the Exploitability Index rating.
• Since July 2010, MSVR has identified and disclosed 109 different software vulnerabilities affecting a total of 38 software vendors in a safe and coordinated manner.
• Software vendors have responded and coordinated on 97 percent of all vulnerabilities reported by MSVR.
• Microsoft’s creation of a Coordinated Vulnerability Disclosure (CVD) process for our employees last year, and publication of supporting documentation in April 2011, has been very well received by customers as evidenced by their testimonials.
• Reaction to the participation of Adobe Systems Inc. in the MAPP program has been very positive as evidenced by our MAPP testimonials:

“Adobe is proud of its continued participation in the MAPP program and pleased with the positive feedback we’ve been getting from MAPP partners. Since the July 2010 MSRC Information Sharing report, Adobe’s participation in MAPP has grown from providing proof of concept documentation for exploits to providing full detection guidance and examples on virtually all Adobe Reader and Flash Player issues. We are pleased with the results of our participation in MAPP and value MAPP as a great example of companies working together to share information to help protect our mutual customers. Adobe has provided detection guidance to MAPP partners on 14 security updates since we began participating in the program.”

-          Brad Arkin, Senior Director of Product Security and Privacy, Adobe Systems Incorporated

Later this week, many of us will be attending the Black Hat USA conference in Las Vegas. We’ll be at booth #203 in the exhibition hall– if you’re attending, stop by and say hello, and feel free to give your own testimonial at the video booth.

- Mike Reavey