Microsoft to Sound Early Security Alerts
Microsoft is changing the manner in which it handles the premature disclosure of security flaws in its products by independent security firms with a new pilot program called Microsoft Security Advisories.
The program fills in the knowledge gap that occurs between when a vulnerability is disclosed and when Microsoft engineers address the problem with special bulletins from Microsoft Security Research Center that provide an overview of the flaw and guidance.
While its remains to be seen if the program will warm the sometimes adversarial relationship between security researchers and Microsoft, Security Advisories is a departure from Redmond's previous strategy of containing information that may be used to harm its customers until a patch can be released. Microsoft has long criticized researchers for what it deems "improper" disclosure of vulnerabilities.
Now, Microsoft itself will publish sample code and other pertinent security data when it is necessary to communicate that information to its customers.
The program will also use the bulletins to relay changes made to Microsoft software that may impact customers' security. Customers will be e-mailed the bulletins and alerted through several means including a dedicated RSS feed and MSN Messenger alerts. Bulletins will come in two varieties: one for consumers and another for IT professionals.
"Customers have told us that they want more prescriptive and timely guidance on security issues and Microsoft has responded to that feedback by continuously improving the security communications we deliver to customers," a company spokesperson said in a statement.
Microsoft Security Advisories will not carry a severity rating like Microsoft's security bulletins, but will have common elements such as a unique Knowledge Base tracking number and an appendix of revisions. The advisories are available free of cost.
"The changes represent yet another refinement of Microsoft's security outreach. While the new information is a commendable improvement, I am concerned that all the noise will simply overwhelm many people. Microsoft seems to be positioning security thoroughness as a marketing tool, and I'm not sure that's the best approach," said Jupiter Research senior analyst Joe Wilcox.
"At what point do people stop listening to the noise, creating potentially another kind of security risk because they aren't listening when they really need to? It's not like there are major antivirus outbreaks every day," added Wilcox.