[ISN] MS Premium Customers Get Early Security Warnings

InfoSec News isn at c4i.org
Wed Sep 15 01:58:08 EDT 2004


By Ryan Naraine
September 10, 2004 

Microsoft is giving premium customers advance notice of security
bulletins, internetnews.com has learned.

The company plans to release two security bulletins, one with a
"critical" rating, on Tuesday September 14, in order to plug holes in
multiple software products, according to an advance notice sent to
select customers.

The note, obtained by internetnews.com, said Microsoft's September
batch of patches will plug a serious vulnerability in Microsoft
Windows, Microsoft Office, Microsoft Home, Microsoft Visual Studio,
and Microsoft .NET Framework.

A separate patch with an "important" rating will be issued for
Microsoft Office customers, the company said in the notice, which was
sent only to premier customers.

"At this time no additional information on these internal bulletins
such as details regarding severity or details regarding the
vulnerability will be made available until 14 September 2004,"  
according to the notice.

While Microsoft said the number of bulletins, products affected,
restart information and severities are subject to change until
released, it appears there won't be a patch this month for a "highly
critical" bug in Internet Explorer browser's drag-and-drop feature.  
The bug could put millions of Web surfers at risk of malicious hacker
attacks. A public warning for that vulnerability was issued on August

In a statement released to internetnews.com, Microsoft confirmed the
pre-release of information to premier and other representative
customers. "Based on customer feedback, Microsoft started a 'heads-up'
security bulletin notification program in November 2003 with Premier
and other representative customers. The program was well-received and
feedback from participating customers was very positive; consequently,
the program was expanded in April 2004 to include all customers who
will sign an appropriate non-disclosure agreement," the company added.

Microsoft said the program is designed to provide very limited
information in a brief e-mail three business days before the
anticipated release of monthly security bulletins. It also said the
notification is to assist customers with resource planning for the
monthly security bulletin release.

Microsoft insisted the information provided in the notice was "very
basic in nature" and intended only to provide general guidelines
concerning the maximum number of bulletins that may be released, the
anticipated severity ratings, and an overview of products that may be
affected. "The information is purposely not specific and does not
disclose any vulnerability details or other information that could put
customers at risk."

However, the availability of advance notice for high-end customers
isn't likely to sit well with most Microsoft customers who must wait
for the public release of bulletins on the second Tuesday of every

The move could also raise the ire of independent security researchers
who detect software flaws and work privately with Microsoft ahead of
coordinated public disclosure.

While Microsoft has typically provided warnings ahead of time to ISVs
if a patch will disrupt a specific application, advance notice of
specific software patches are never released.

In the notice, which was seen by internetnews.com, Microsoft said it
was intended to "help our customers plan for the deployment of these
security updates more effectively. The goal is to provide our Premier
customers with information on soon-to-be released security updates."

However, Gartner security analyst John Pescatore described the
pre-release of security information to high-end customers only as "an
extremely dangerous practice."

"I know that Microsoft provides some advance warning to the Department
of Homeland Security on things that could affect critical
infrastructure. But I've never seen Microsoft give advance information
only to customers who pay. That would be a terrible thing to do,"  
Pescatore said.

"That should only be allowed when we are talking about vulnerabilities
that affect critical infrastructure. Not 'pay me more and I'll tell
you earlier'. It's a very bad practice."

The Gartner vice president said the notice would be akin to an
independent researcher or hacker finding a vulnerability and sharing
the information before a patch is available. "If Ford decided to issue
recall notices for faulty brakes only to people who paid for extended
warranty, that won't fly. That would be a horrible thing to do."

The U.S. government's Computer Emergency Readiness Team (US-CERT) has
also been heavily criticized for providing security advisories to
paying customers ahead of coordinated public release.

Last January, research firm Next Generation Security Software (NGSS)  
severed ties with the federally funded US-CERT and accused the
organization of selling early access to vulnerability warnings long
before vendor fixes are made available.

At the time, NGSS co-founder Mark Litchfield said it was "annoying"  
that CERT gave early warning on six vulnerabilities to its paid
sponsors before vendor patches were created and made available. "The
problem became apparent when the vendor we're working with on these
vulnerabilities said they were contacted by government departments.  
CERT notified them ahead of patches being made available. We did not
know about this policy to share this information with people who pay
for that privilege," Litchfield argued.

NGSS at the time vowed that it would cut off CERT from all future bug
warnings until the organization signed a binding non-disclosure
agreement that it would not share early access with its paid sponsors.

More information about the ISN mailing list