LAS VEGAS -- Companies hesitant to patch their Microsoft products on its regularly scheduled Patch Tuesday will have a better chance of being protected by third-party security software, thanks to an information sharing initiative announced by the software giant on Tuesday at the Black Hat Security Briefings.

Beginning in October, Microsoft will share information regarding flaws with security-software makers in the weeks before the company plans to patch the issues. The initiative, dubbed the Microsoft Active Protections Program (MAPP), is necessary because exploit writers have increasingly shaved the time it takes to create exploit code from newly released patches, said Mike Reavey, group manager for Microsoft's Security Response Center.

"This is all about 10 o'clock and making sure we have protection available when updates are available," Reavey said, referring to the software giant's scheduled release time for patches. "It's a balance between making sure the defenders have protection available, but not getting the information into the hands of the bad guys."

While releasing software patches is necessary to help users of Microsoft software protect their systems, many companies wait to install the updates until they have tested how the patches interact with critical applications. Yet, exploit writers also frequently reverse engineer patches to create attacks that can target unpatched users. In April, university researchers created a rudimentary system to automatically generate code in minutes to -- if not exploit vulnerabilities -- cause crashes using certain types of vulnerabilities.

Because of the sensitivity of the information made available through the program, Microsoft requires that partners sign nondisclosure agreements, provide commercial protection products to a large number of Microsoft customers, not sell attack-oriented tools, and be able to prevent exploitation of the vulnerabilities.

The software giant will attempt to limit the time that information leaked from the program has to reach exploit writers by giving software makers the minimum time possible to create their defenses, Reavey said.

"We're talking 'just in time,'" he said. "So, not a lot of lead time."

Microsoft also announced that the company will include guidance in future bulletins on the likelihood that a specific vulnerability will be exploited. The Exploitability Index will use one of three descriptions for each vulnerability: consistent exploit code likely, inconsistent exploit code likely, and functionally exploit code unlikely.

If you have tips or insights on this topic, please contact SecurityFocus.