Microsoft Program Will Report Adobe Software Flaws

The Microsoft Active Protections Program (MAPP) will start to share software vulnerability information from Adobe sometime this fall, Microsoft announced today.

Brad Arkin, Adobe's senior director of product security and privacy, noted that "Adobe has attracted increasing attention from hackers," in a released statement. In joining MAPP, Adobe will share its software vulnerability information with the 65 members of the organization worldwide.

MAPP members are software companies partnering with Microsoft that share vulnerability information prior to Microsoft's monthly security patch releases, according to Microsoft's "Building a Safer, More Trusted Internet Through Information Sharing" document, which can be downloaded here (PDF). Adobe's participation in the program likely will help better alert software companies that rely on Adobe solutions, allowing more time to block exploits.

The MAPP program is part of a triad of security programs announced by Microsoft in August of 2008 that also includes the "Microsoft exploitability index" and "Microsoft vulnerability research" efforts.

The exploitability index is Microsoft's prioritization guidance for its security updates, which come with severity ratings such as "critical," "important," "moderate" or "low." Severity ratings are often a bone of contention among security experts. Microsoft claims it has revised an exploitability index rating only once.

Microsoft's vulnerability research program is an effort that lends Microsoft's security expertise to other software vendors producing solutions that run on Windows. The program has flagged 35 different vulnerabilities affecting 19 software vendors since July of 2009, according to Microsoft's "Trusted Internet" document. Nearly half (45 percent) of the vulnerabilities have been resolved since that time, but "the remaining 55 percent continue to await the release of a security update from the vendor." More details on Microsoft's vulnerability research program are described in a Microsoft white paper, which can be downloaded here.

Adobe's participation with Microsoft comes as no surprise as the two companies have been announcing close collaboration efforts of late, including the sharing of Microsoft's sandbox security technology in Adobe Reader. The announcement comes as Microsoft participates this week at the Black Hat conference in Las Vegas.

Another Microsoft security related announcement today is the forthcoming release in August of the Enhanced Mitigation Experience Toolkit 2.0. This free tool helps to protect applications by shoring up common attack pathways used by malware.

Earlier this week, Microsoft announced that it had changed its policy on how flaws in software should be reported. It switched from a "responsible disclosure" policy to one called "coordinated vulnerability disclosure." The difference between the two policies is fairly miniscule, except that Microsoft plans to publicly disclose details of an exploit when "active attacks" are happening.

Microsoft will not pay researchers for disclosing security flaws in Microsoft's software under the new coordinated vulnerability disclosure policy, according to Roger Halbheer, Microsoft's worldwide chief security advisor, in a blog post.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Microsoft Adding Google G Suite Migration in Exchange Admin Center

    Microsoft's Exchange Admin Center will be getting the ability to move Google G Suite calendar, contacts and e-mail data over to the Office 365 service "in the coming weeks."

  • Qualcomm Back in Datacenter Fray with AI Chip

    The chip maker joins a crowded field of vendors that are designing silicon for processing AI inference workloads in the datacenter.

  • Microsoft To Ship Surface Hub 2S Conference Device in June

    Microsoft on Wednesday announced a June U.S. ship date for one of its Surface Hub 2S conferencing room products, plus a couple of other product milestones.

  • Kaspersky Lab Nabs Another Windows Zero-Day

    Kaspersky Lab this week described more about a zero-day Windows vulnerability (CVE-2019-0859) that its researchers recently discovered, and how PowerShell was used by the exploit.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.