Microsoft to Share Vulnerability Information with Governments Early
Microsoft recently announced that they would be providing pre-patch vulnerability information to key "government entities". Citing examples such as Critical Infrastructure, the MSRC post asserts that governments are the key lynchpin between private and public sectors for protection against electronic attacks and provide liaison between those sectors. On the surface this seems to be a strange assertion. Most information flow seems to be from the private sector (Information Security vendors, mainly) to both the public and private sector at approximately the same time. Government-level co-ordination and response has rarely been on the forefront of this information dissemination and management. Rapid response to time-sensitive critical information isn't something that government agencies are well known for being capable of.
This will bring some value to the organisations that are able to participate in this program (no doubt for a fee), but what can they do about it pre-patch? Valid and effective security practices would limit most common attack routes, and those that remain would have some business case for being kept open. Microsoft's own Advance notification gives a heads up as to the likely impact of the patches and vulnerabilities in the week before patches are released, but unless the government agencies are changing their patch deployment to same-day as release, then there isn't much else that can be gained from having advance notification.
The sort of vulnerabilities that are of greatest concern to people are those that are likely to have been publicly disclosed, or already being used for targeted attacks, quite likely against government agencies. Being told that there is a new remote code execution vulnerability against Word and that effective non-patch mitigation is to avoid Word documents isn't going to help, at all.
It is another step forward for Microsoft, but it might have been better delivered several years ago when they made the move to monthly patch cycles and when they made their large push towards a secure development cycle. It may be that the Defensive Information Sharing Program (DISP) will evolve into a significant aspect of future Information Security management at the nation-level, but it will have to rely upon a lot of changes to take place by all participants for this to be the case.
Might this program have helped with the current Windows Canonical Display Driver issue that has been highlighted through the Security Response Center? Or would the information flow have been about what the Microsoft Active Protections Program (MAPP) partners already receive, just with the requirement to actually provide a security product removed?
22 May 2010
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.