This is just to give everyone an idea of the escalation that happens in the information security field. . . .
Most of us know about Microsoft’s “Patch Tuesday”. In case you don’t, this is the day every month that Microsoft releases new patches (it’s the 2nd Tuesday). It allows IT departments to better plan patch deployments and avoids the issue of having a constant stream of patches to install.
Malware authors adapted to this schedule. On patch Tuesday, they would race antivirus and antimalware companies trying to generate protections. Every month as the Microsoft patches became available; malware authors would download the patches and analyze the code changes to figure out what Microsoft fixed. With the knowledge gained from reverse-engineering patches the malware authors would create new malware to take advantage of unpatched systems. At the same time, antivirus and antimalware companies would attempt to generate antimalware protections for unpatched machines.
Microsoft created the Microsoft Active Protections Program (MAPP) in 2008 as a response to the problem with reverse-engineering patches. The MAPP program was to give antimalware companies a chance to generate protection signatures or heuristics before the patch was released. This gave antimalware companies a big advantage in creating protection.
(By the way, Microsoft even keeps track of companies that generate protections within 96 hours of notification here. Please note – based on what I see from the information provided by Microsoft, very few companies consistently provide protection within the 96-hour window.)
Big win, right?
Not so fast.
In March 2012, exploit code for a just-patched RDP exploit was discovered on a Chinese website. There was a text in the file that seemed to reference an internal Microsoft case number, “MSRC11678”; strong evidence that there was a leak in the MAPP program. While the website with the code was discovered after the patch was released, it was likely antimalware authors had access to the exploit earlier. Confirmation of the leak came on May 3rd, when Microsoft excommunicated Hangzhou DPTech Technologies Co., Ltd. From the MAPP program for breaching Microsoft’s NDA.
Now I know what you must be thinking: how much in advance does Microsoft notify MAPP participants?
While it is tempting to stop there and spread FUD, the answer can be found on the MAPP blog site. In a post dated May 2, 2012, The MSRC senior program manager, Maarten Van Horenbeeck, said this:
We provide this information to participating vendors shortly in advance of the release of a security update. We base the timeframe on partners’ ability to release effective protections, while limiting the risk, should the information be inadvertently disclosed.
…
We recognize that there is the potential for vulnerability information to be misused. In order to limit this as much as possible, we have strong non-disclosure agreements (NDA)with our partners. Microsoft takes breaches of its NDAs very seriously. When partners do not successfully protect our intellectual property, we take action, which may include removing the partner from our program.
In addition, we make sure to only release data shortly in advance of the security update. Prior to MAPP, vendors released detection within hours to days following the release of a security update. Today, we send MAPP data to our partners just as far in advance as they need to get that work done, only now, the protection is usually available when we release the update.
So, what is the point of all this? Two points:
1) In trying to give advanced notice to antimalware vendors, Microsoft has also given early access to malware authors. At a minimum you can bet that foreign intelligence agencies like China’s MSS (APT, anyone?) and Russia’s FSB have this advanced information. Currently, Microsoft has over 70 companies from all over the world participating in the MAPP program. That’s a lot of people who have access to this information.
2) Microsoft attempts to balance early dissemination with the threat of premature disclosure to malicious actors. The ability of antimalware companies to execute on this information for creating protection seems to be highly variable. At the same time, the delay from vulnerability notification to patch is measured in months; in this case the patch took six months.