Microsoft to give governments patch previews

[DKT27]

Microsoft has launched a pilot program for governments and critical infrastructure providers to gain access to in-depth technical information about operating system patches before they are released on the second Tuesday of each month.

Senior security program manager lead at the Microsoft Security Response Centre (MSRC), Steve Adegbite, yesterday launched the Defensive Information Sharing Program (DISP) and the Critical Infrastructure Protection Program (CIPP) at the AusCERT 2010 security conference in Queensland.

Microsoft currently provides security vendors such as Kaspersky, McAfee and Symantec with some of this information, but not all of it. Finer details of a vulnerability don't normally get disclosed to the vendors, and that's detail Adegbite said governments would find useful in knowing as soon as it was available.

"One thing we started noticing was that industry and third-party software protection providers ... aren't the only defenders out there," he said. "There are actually national [Computer Emergency Response Teams] and there are national agencies and entities ... what about them?"

This is where the new pilot programs would bridge the gap, Adegbite said.

He said the new programs were going to offer a "monthly exploit index" as well as access to vulnerability information "as soon as possible".

The "monthly exploit index" would provide governments and critical infrastructure providers with a list of exploits that show a priority of which should be fixed first when the patch is available from Microsoft.

"Essentially, at a time before or prior to the monthly [security] update, what people are going to receive inside these programs [is] they're going to receive 'Here's what Microsoft is updating, here's the technical information behind it, stack traces as well as source code of where this vulnerability that we're updating within there [exists]," Adegbite said.

"We started figuring out we had a lot of this information," he said. "And we have a lot of smart people that look at vulnerabilities every month, and they can almost start to predict which vulnerabilities will wind up being attacked first.

"So you're actually going to get a stack ranking that says that these are the top [vulnerabilities] we believe are going to be exploited, with the technical details."

The DISP program information would be able to be shared within government departments. "That's the good thing that's going to be key," Adegbite said. "So if you're in disparate parts of the government working on the same problem, Microsoft is going to provide the information to the national entities or whoever is in this program and allow them to share within that agency as well."

The CIPP would focus "solely on different methods and strategies on how to protect critical infrastructure," Adegbite said.

Source: ZDNET