Microsoft: Security patches are beating malware in race to users

NEWS

One year after launching three security programs designed to improve security industry-wide, Microsoft is finding that more security patches are beating exploits out the door.

Meanwhile, the Microsoft Security Response Center said that of the 50 security bulletins it published from October 2008 to June 2009, patches were released in response to 138 vulnerabilities. Of those, 17 had public exploit code available at the time of the release, and for 67, consistent exploit code was likely to be written, according to the software giant.

The news comes after Microsoft announced on Friday it will be releasing security updates on Tuesday - outside of its monthly patch cycle - for a critical vulnerability in Internet Explorer and a moderate vulnerability in Visual Studio.

Meanwhile, Microsoft has yet to plug a critical ActiveX hole in Office that it warned two weeks ago attackers were exploiting to take control of PCs by luring Internet Explorer users to malicious websites. It is the third zero-day hole announced by Microsoft in less than two months.

In August 2008, the Microsoft Security Response Center announced three security programs to help improve security for customers, partners and others. The company issued a progress report on Monday in advance of the Black Hat security conferences set to begin on Tuesday in Las Vegas.

Through its Microsoft Active Protections Program (Mapp), Microsoft supplies vulnerability information to 45 partners prior to the monthly Microsoft Patch Tuesday security updates. Mapp partner and network security provider Sourcefire issues protections based on the information for about 95 per cent of the monthly Microsoft security bulletins.

Before Mapp, it took about eight hours to reverse-engineer, develop proof-of-concept code, and build the exploit detection for a vulnerability, which is about the time it takes for a savvy attacker to generate exploit code after a vulnerability has been disclosed, Microsoft said.

Now, it takes only about two hours, according to Sourcefire. Sourcefire developers only have to write the detection code because Microsoft provides the rest, meaning patches are typically released hours ahead of any exploits, Microsoft said.

In estimating how exploitable vulnerabilities are, Microsoft said it has had a 99 per cent reliability rate. Of 140 ratings in the Microsoft Exploitability Index, also released last year, there has only been one revision that dropped the severity of the vulnerability, the company said.

For the third program, Microsoft Vulnerability Research (MSVR), Microsoft researchers work to find holes in third-party software. From June 2008 until June 2009 the MSVR team identified software vulnerabilities affecting 32 vendors, Microsoft said.

Of the holes found in the outside software, 86 per cent were critical or important and 13 per cent have been fixed, while five per cent are in the process of being resolved, according to Microsoft. The MSVR team and Microsoft security researcher Billy Rios were credited with finding holes recently fixed in the Apple Safari browser.

"We're seeing attacks get more complex," said Mike Reavey, director of the Microsoft Security Response Center. "There's a race between attackers and defenders and collaboration is needed in the industry."

Microsoft is unveiling this week the Microsoft Office Visualisation Tool, which offers a graphical view of Office binary file formats so programmers can better see where vulnerabilities and malware might be embedded within an Office document.

In the 50 security bulletins published from October 2008 to June 2009, Microsoft released security updates in response to 138 vulnerabilities; these updates resulted in 140 Exploitability Index ratings (Photo credit: Microsoft)