"The exploitability index will contain labels assigned to each vulnerability, including "consistent exploit code likely," "inconsistent exploit code likely" and "functioning exploit code unlikely," which would translate into higher, medium and lower priority."

MS is making a good step forward (hopefully and potentially) in helping the security community, BUT will Average Joe User understand correctly those index labels? Because, the way that article read, those labels are being directed at the average home user to judge their computer's current security/vulnerability. Don't throw technical jargon at the average user, it tends to only confuse and further aggravate.

"Redmond will provide security providers with detailed information about upcoming updates. The disclosures will include instructions on how to reproduce and exploit the vulnerabilities"

Don't they do that (reverse patches) already?, or does this mean that these people will be handpicked to get the stuff way before your average joe hacker?.

Oh wait, now I get it... The smart ones already know how to do this, only the "less smart" ones that need the instructions so they get it before hand

Right!

I stand to be corrected!

Information about the upcoming vulnerability patches, eh? Well, let me tell you about it.

Microsoft *already* provides to the AV people (after they have signed an NDA, of course) "information" about the vulnerabilities patched by the current patches - including information how to reproduce the problem and how to detect it. Sounds great, right?

Yeah, but.

Often this information is incomplete and totally useless. When we complain, they tell us that "only this is available at this time". Of course, nothing additional is ever available at a later time. Worse, Microsoft's algorithms for detecting these vulnerabilities are often discovered to be incomplete or (even more often) to cause false positives. When we complain, we get the standard answer that "Microsoft does not have the resources to investigate old and already patched vulnerabilities", which is just a polite way of saying "screw you".

What a bunch of moronic idiots. :-(

Maybe this is at least partly a response to the great ZoneAlarm / Windows Update cock-up of a few weeks ago, where a security update knocked loads of ZA users off the Internet.

If the other vendors (ZA in that particular case) can get more and better information from Microsoft about both the vulnerability and about the upcoming patches designed to fix said vulnerability, surely that reduces the chance of a similar scenario in the future.

MAPP looks like a good move to me.

This is a step into the right direction. I hope they are not creating a problem for themselves by this limited disclosure approach - there will always be leaks to black-hats. What happens if it turns out that a black-hat used this information for attacks?

Anyway, I take IDS signature writers and others will welcome this information.

It's still far better than the Apple wall of silence