Microsoft, Adobe Collaborate to Protect Against Online Threats

Microsoft leads the way in information-sharing programs, new tools and guidance designed to reduce customer risk.

LAS VEGAS, July 28, 2010 - Today at the Black Hat USA 2010 conference, Microsoft Corp. announced
that it will extend its Microsoft Active Protections Program (MAPP)
(www.microsoft.com/security/msrc/collaboration/mapp.aspx) to include
vulnerability information sharing from Adobe Systems Inc. Microsoft also
discussed the new policy of coordinated vulnerability disclosure - a
reframing of responsible disclosure - and introduced new tools and guidance
that will improve online security for customers.

    (Logo: photos.prnewswire.com/prnh/20000822/MSFTLOGO)
    (Logo: www.newscom.com/cgi-bin/prnh/20000822/MSFTLOGO)

Extending Microsoft Active Protections Program in Collaboration With
Adobe Systems

Launched in October 2008 by the Microsoft Security Response Center
(https://www.microsoft.com/security/msrc/default.aspx), MAPP is a unique
collaborative effort that facilitates advanced information sharing on
Microsoft product vulnerabilities with security software providers. In fall
2010, Adobe will join Microsoft and share its vulnerability information with
the 65 global MAPP members, offering advanced protections to hundreds of
millions of people. Through programs like MAPP, Microsoft is helping protect
customers from the threats of today and tomorrow.

"Adobe products are relied on by individuals and organizations worldwide.
Given the relative ubiquity and cross-platform reach of many of our products,
as well as the continued shifts in the threat landscape, Adobe has attracted
increasing attention from attackers," said Brad Arkin, senior director of
product security and privacy at Adobe. "We are committed to our customers'
security at every level and are excited to leverage MAPP as an important part
of our overall product security initiative. MAPP is a great example of a
tried and proven model giving an upper hand to a network of global defenders
who all rally behind a shared purpose - protecting our mutual customers."

"Microsoft acknowledges that the constantly changing threat landscape
requires a new approach to security - collaboration and shared responsibility
are key as past individual efforts are no longer enough," said Mike Reavey,
director of the Microsoft Security Response Center at Microsoft. "We're
excited about extending the benefits of MAPP to Adobe users as we've seen
clear evidence of its impact in advancing customer protections. We continue
to encourage the collective industry - from security researchers and vendors
to customers- to recognize the responsibility we all share in fortifying the
broader computing ecosystem against online crime."

Shift to Coordinated Vulnerability Disclosure

In recognition of the endless debate between responsible disclosure and
full disclosure proponents and the debate's ability to detract from
productive industry collaboration and customer defense, Microsoft announced
it will move to a new practice and philosophy of coordinated vulnerability
disclosure.

    - Definition of coordinated vulnerability disclosure. Microsoft believes
      coordinated vulnerability disclosure is when newly discovered
      vulnerabilities in hardware, software and services are disclosed
      directly to the vendors of the affected product, to a CERT-CC or other
      coordinator who will report to the vendor privately, or to a private
      service that will likewise report to the vendor privately. The finder
      allows the vendor an opportunity to diagnose and offer fully tested
      updates, workarounds or other corrective measures before detailed
      vulnerability or exploit information is shared publicly. If attacks are
      underway in the wild, earlier public vulnerability details disclosure
      can occur with both the finder and vendor working together as closely
      as possible to provide consistent messaging and guidance to customers
      to protect themselves.

Additional details on coordinated vulnerability disclosure can be found at
blogs.technet.com/b/ecostrat/archive/2010/07/22/coordinated-vulnerability-disclosure-bringing-balance-to-the-force.aspx.

Microsoft calls on the broader community - from security researchers to
vendors - to move to coordinated vulnerability disclosure. The need for
coordination and shared responsibility has never been greater, as the
computing ecosystem faces an unprecedented level of threat from the criminal
element. To overcome that element, we must work together to improve the
security of the entire ecosystem - and, as always, making customer protection
our highest priority.

New Tools and Guidance

Microsoft also today released several resources that will help customers
make informed decisions and manage risk. These releases demonstrate the
company's ongoing efforts to improve customer experience by developing and
sharing guidance and solutions. Microsoft urges organizations to leverage
this freely available guidance to protect against threats and improve their
security processes.

    - Enhanced Mitigation Experience Toolkit (EMET). EMET is a free tool that
      brings newer security mitigations to older Microsoft platforms and
      applications, both third-party and line of business applications. The
      tool specifically helps block targeted attacks against unfixed
      vulnerabilities. The tool will be available in August. Those interested
      can visit ecn.channel9.msdn.com/o9/edge/9900/29900/emetoverview72010_edge.wmv
      to watch an instructional video.
    - Microsoft vulnerability research (MSVR) paper. The MSVR was launched to
      share the lessons Microsoft has learned about building more secure
      software and responding to vulnerabilities in third-party products
      built on the company's platform. Since its launch in 2008, the MSVR has
      worked with more than 30 vendors, helping improve both Microsoft's
      software, as well as third-party products, ultimately keeping more
      people safe online. A more detailed account on how the MSVR has
      improved the overall security of Microsoft and third-party products can
      be downloaded at go.microsoft.com/?linkid=9738193.
    - A Report: Building a Safer, More Trusted Internet Through Information
      Sharing. In August 2008, Microsoft launched three security-related
      programs designed to collectively share more information with partners
      and customers. As outlined in this report, the three programs - MAPP,
      the Microsoft Exploitability Index and the MSVR - have evolved over the
      past two years, creating a safer online environment for people around
      the world. For example:
      - Sourcefire Inc. reported that in the race between exploit and
        protection, MAPP has helped to reduce the risk of attack in some
        cases by more than 75 percent.
      - According to iDefense Labs, the Microsoft Exploitability Index has
        helped reduce risk by providing system administrators with the
        information they need to prioritize security updates.
      - Since 2009, the MSVR program has identified 35 different software
        vulnerabilities affecting a total of 19 vendors. To date, 45 percent
        of those vulnerabilities have been resolved, helping better secure
        Microsoft's platform and the larger computing environment.

The full report on the progress of these three programs can be viewed at
go.microsoft.com/?linkid=9738546.

Given the increasing criminality of the threat landscape, it's clear that
a new approach to security is required. Microsoft encourages a shared sense
of responsibility across the ecosystem as no one company, individual or
technology can solve today's complex security challenges. As such, Microsoft
calls on the industry to continue to collaborate and coordinate to combat
online threats and create a safer, more trusted Internet.

About Microsoft

Founded in 1975, Microsoft (Nasdaq: MSFT) is the worldwide leader in
software, services and solutions that help people and businesses realize
their full potential.

Rapid Response Team of Waggener Edstrom Worldwide, +1-503-443-7070, rrt at waggeneredstrom.com, for Microsoft Corp.; NOTE TO EDITORS: For more information, news and perspectives from Microsoft, please visit the Microsoft News Center at www.microsoft.com/news. Web links, telephone numbers and titles were correct at time of publication, but may have changed. For additional assistance, journalists and analysts may contact Microsoft's Rapid Response Team or other appropriate contacts listed at www.microsoft.com/news/contactpr.mspx.