[ISN] Microsoft revamps security hole approach

InfoSec News isn at c4i.org
Fri May 6 09:16:27 EDT 2005


By Matthew Broersma
06 May 2005

Microsoft has a new security service that will provide an immediate
response when researchers publicise unpatched vulnerabilities.

The pilot programme run by the Microsoft Security Research Center
(MSRC) and called simply Microsoft Security Advisories, complements
the monthly scheduled Security Bulletins ordinarily accompanied by
Unlike the bulletins though, advisories will not have to meet any
fixed schedule, being issued instead as soon as possible after a
vulnerability is disclosed, Microsoft said.

The advisories will be used to address various issues arising between
the monthly bulletins, including vulnerability disclosures and
phishing scams.

The advisories "will address security changes that may not require a
security bulletin but that may still impact customers’ overall
security," said Nick McGrath, Microsoft's head of platform strategy.  
"Customers have told us that they want more prescriptive and timely
guidance on security issues."

In the past, Microsoft has limited its detailed comments to the
monthly bulletins, responding to other issues with short statements. A
noticeable shift came last month when MSRC programme manager Stephen
Toulouse used the MSRC blog to discuss a flaw that had been disclosed
in Windows 2000 systems. Typically, Microsoft uses such discussions to
downplay the severity of unpatched flaws.

The advisory system is the latest development in an ongoing debate
over how software vendors and security researchers should balance the
need for users to be aware of vulnerabilities with the need for
discretion. Microsoft has criticised security researchers for
discussing flaws before a patch has been released. For their part,
many researchers have said they only disclose vulnerability
information if they are unable to convince Microsoft to take action.

More information about the ISN mailing list