Adobe to follow Microsoft plan of sharing security info

LAS VEGAS--Adobe Systems will soon be adopting Microsoft's model of sharing information about vulnerabilities in its software with security vendors before the companies release security updates, the companies were set to announce at the Black Hat conference here on Wednesday.

Microsoft launched its Microsoft Active Protections Program (MAPP) in 2008 and since then has been sharing vulnerability information with vendors before updates are made public so the companies have time to offer more timely protection to their customers before the updates are deployed.

MAPP has helped to reduce the vulnerability window in some cases by more than 75 percent, according to Microsoft. That success has prompted Adobe to follow the program beginning sometime in the fall, Brad Arkin, Adobe's director of product security and privacy, told CNET on Tuesday.

"It made sense for us to work together with Microsoft rather than for Adobe to do a lot of extra work and reinvent the wheel," Arkin said. Adobe will be sharing information with the same MAPP partners as Microsoft and using the same format and infrastructure, he said.

Meanwhile, Microsoft will also be announcing this week a toolkit that will allow older versions of Windows and third-party applications to benefit from technologies designed to protect Windows-based computers from attack. The features, ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), were written to run on newer versions of Windows.

The new Advanced Mitigation Experience toolkit will enable developers of older Windows and non-Microsoft software to take advantage of those technologies, said Mike Reavey, director of the Microsoft Security Response Center.

In addition, Microsoft is promoting a policy of "coordinated disclosure" of security vulnerabilities by the research community, rather than "responsible disclosure" (notifying affected software vendors) or "full disclosure" (notifying everyone at once). The software giant is encouraging researchers to work with the company when vulnerabilities are being exploited in the wild before going public with the information on the weaknesses.

The disclosure debate heated up after Google researcher Tavis Ormandy publicly disclosed a Windows-related hole and releasing a proof-of-concept exploit in June before Microsoft had a chance to develop a fix. Ormandy defended his actions, saying he needed to get Microsoft's attention to fix the problem, and other researchers supported him. Within days of the disclosure, there were attacks discovered that exploited the hole.

A Google Security Team blog post last week signed by Ormandy and others argued that vendors too often invoke the principles of "responsible" disclosure to delay fixing holes, sometimes for years. The post suggests that 60 days is a reasonable time frame for vendors to fix critical holes.

"We would invite other researchers to join us in using the proposed disclosure deadlines to drive faster security response efforts," the Google team wrote. "Creating pressure towards more reasonably-timed fixes will result in smaller windows of opportunity for blackhats to abuse vulnerabilities. In our opinion, this small tweak to the rules of engagement will result in greater overall safety for users of the Internet."

Microsoft's policy shift, detailed in this recent blog post, is not far from the "responsible" disclosure it previously advocated.

"I don't think there is a one-size (fits all) for deadlines for fixing vulnerabilities in products," Reavey told CNET. "What's important is to make sure there is a security update that works for customers... and shared accountability. Customers want vendors and researchers to come together."