Las Vegas — At the Black Hat security conference on Wednesday, Adobe Systems Inc., announced that they will soon be adopting Microsoft Corp.’s pattern of sharing information about vulnerabilities in its software with security vendors before the companies release security updates, in order to better protect users against electronic threats.
Entering into this association with Microsoft, Adobe becomes the latest, and probably the most prominent, member of Microsoft’s security information program. Adobe has followed 65 other firms in adopting the Microsoft Active Protections Program (MAPP).
Now, by the year end, Adobe will start sharing vulnerability information about its products via Microsoft’s (MAPP) to security solution vendors, as does Microsoft on its latest patches, according to Brad Arkin, Adobe’s director of product security and privacy. “The MAPP program is the gold standard for how the software vendors should be sharing information about product vulnerabilities prior to shipping security updates,” he said.“Considering the relative ubiquity of many of our products, Adobe has attracted increasing attention from attackers,” Arkin said. “We are committed to our customers’ security at every level and are excited to leverage MAPP as an important part of our overall product security initiative. MAPP is a great example of a tried and proven model giving an upper hand to a network of global defenders who all rally behind a shared purpose: protecting our mutual customers.”
Adobe is the first third party vendor to provide this crucial information, which will help security software makers more rapidly address new threats. In the mean time, Microsoft has revised its controversial “responsible disclosure” policy.
Microsoft introduced its (MAPP) in 2008 as a means to alleviate early exposure information sharing with its partners before updates are deployed and made public so the companies have ample time to provide more timely safeguards to their clients, and today there are over 65 companies participating in the program. In a briefing this week, Microsoft described MAPP as a “game changer that minimizes the time for partners to develop responses to emerging security threats.”
MAPP has facilitated minimize the vulnerability window in some cases by more than 75 percent, according to Microsoft. That success has prompted Adobe to follow the program beginning sometime in the fall, Arkin said in a statement.
“It made sense for us to work together with Microsoft rather than for Adobe to do a lot of extra work and reinvent the wheel,” Arkin said. Adobe will be distributing information with the same MAPP partners as Microsoft and using the same format and infrastructure, he said.
Adobe at first ventured to recreate MAPP, but soon discovered that it would take a lot of work to develop a program similar to Microsoft’s, which was experimented two years ago. Arkin’s team began discussions with Microsoft, at first in hopes of picking up some tips. “Eventually, together, we came to the conclusion that it would be a lot more fun to work together on this rather than Microsoft helping us to recreate the wheel,” he said.
With Adobe jointing the MAPP program, however, security companies like SourceFire should do less scrambling.
This is the first time that Microsoft has offered its MAPP program to support another company’s products, said Dave Forstrom, a director with Microsoft’s Trustworthy Computing group.
Nevertheless, it may not be the last. Forstrom did not rule out the possibility that other software vendors could also jump on board.
Microsoft also announced an interesting new free security tool at Black Hat. The Enhanced Mitigation Experience Toolkit (EMET) provides newer security features–like DEP and ASLR–to older Microsoft platforms and applications, the company says. It will ship in August.