Making good on a couple of promises made at Black Hat last summer, Microsoft announced agreements with a number of security software vendors that will give the likes of SecureWorks, Sophos, Fortinet, Third Brigade, Tipping Point and others an advance heads-up to the security patches that will come out on Patch Tuesday. With Microsoft’s Active Protections Program, the vendors have agreed to non-disclosure agreements in exchange for the ability to prepare for the patches and attacks against un-patched machines.
In a related development, Microsoft will now also offer its take on how likely it is that specific, functional exploit code will be propagated to take advantage of the security flaws disclosed in each month’s Patch Tuesday bulletin. Dubbed the “Exploitability Index Assessment,” each vulnerability will get a one-through-three rating. 1 means consistent exploit code is likely; 2 predicts that inconsistent exploit code is likely; and 3 says functioning exploit code is unlikely. For the record, of the 19 vulnerabilities disclosed this week, eight were no. 1’s, seven were 2’s, and four were 3’s.