Connect with us

Hi, what are you looking for?


Incident Response

Microsoft to Share Vulnerability Data with Incident Responders

Microsoft’s pre-patch information sharing on vulnerabilities in its software has been expanded to include incident responders dealing with advanced targeted attacks.

Microsoft’s pre-patch information sharing on vulnerabilities in its software has been expanded to include incident responders dealing with advanced targeted attacks.

The Redmond, Washington-based software vendor today announced a major expansion of the five-year-old Microsoft Active Protections Program (MAPP), which is aimed at reducing the window of exposure to hacker attacks.

In the past, MAPP shared vulnerability data to give anti-malware, intrusion prevention/detection and corporate network security vendors a head-start to add signatures and filters to protect against Microsoft software vulnerabilities. That part of the program will remain, but Microsoft has now added two new programs specifically aimed at the explosion of APTs (advanced persistent threats) against global governments and businesses.

Microsoft LogoAccording to Microsoft Senior Security Strategist Jerry Bryant, the new MAPP for Responders will provide “threat indicators” to qualified security response teams. These will include malicious URLs, file hashes, incident data and relevant detection guidance.

“The information we plan to share with response partners is focused more on threat intelligence than specifically on vulnerabilities. Where these two programs come together is around incident response. Arming more defenders against targeted attacks is a key part of our overall strategy,” Bryant explained.

Microsoft plans to to support Mitre’s STIX (Structured Threat Information Expression) and TAXII (Trusted Automated eXchange of Indicator Information) specifications to ensure automation and structure.

Bryant said the surge in targeted attacks as one of the primary threats to enterprises, governments and other entities pushed Microsoft to expand the MAPP program. “Incident responders, including response companies, CSIRTs, ISACs, and security vendors, represent the front lines in the fight to detect, respond, and remediate these attacks. Through this new program, MAPP for Responders, we are working to build new partnerships and community collaborations that will enable strategic knowledge exchange,” he added.

Separately, Microsoft launched a new MAPP Scanner tool to help pinpoint if certain files or documents are attempting to exploit security vulnerabilities.

MAPP Scanner, currently in a closed pilot program is described as a cloud-based service that can be used to scan Office documents, PDF files, Flash movies, and suspect URLs, to determine if they are attempting to exploit a vulnerability. MAPP Scanner performs both static and active analysis to determine if files are attempting to exploit a vulnerability. It spins up virtual machines for every supported version of Windows and opens content in supported versions of the appropriate application, Bryant explained.

Advertisement. Scroll to continue reading.

Bryant also said MAPP Scanner can help find a known vulnerability and return the CVEs and affected platforms for that issue, while also flagging suspicious activity not associated with a known vulnerability for deeper analysis. “MAPP Scanner is extremely effective in identifying previously unknown vulnerabilities while at the same time dramatically improving the ability and efficiency of responders investigating an incident,” he added.

MAPP Scanner is also aimed at Microsoft partners who are likely to be subjected to targeted attacks.

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.