On MovieTome: The 10 worst movies of 2009 so far!
BNET Business Network:
BNET
TechRepublic
ZDNet
86 TalkBacks

By Dawn Kawamoto
Posted on ZDNet News: May 6, 2005 6:08:00 PM

Microsoft will introduce a security advisory service on Tuesday that will confirm reports of flaws and provide a workaround until a patch is released.

The pilot program of Microsoft Security Advisories will strive to issue an alert within one business day of the company becoming aware of a problem and offer ways to mitigate it, a Microsoft representative said.

"Our advisories will allow us to communicate about more things than just security," said Stephen Toulouse, security program manager in Microsoft's security response center.

The move comes amid an ongoing debate over how and when information about vulnerabilities should be disclosed. The software industry has been urging "responsible" disclosure, in which security researchers wait until manufacturers have created a patch for a hole before making the public aware of the problem. But some flaw finders have held to "full" disclosure, in which they reveal a vulnerability as soon as they discover it. If a flaw is publicized, they argue, software makers will not drag their feet about fixing it.

In April, security company Secunia sent out a warning about a "highly critical" vulnerability affecting Microsoft's Office and Access programs that had not been patched by the software maker. The warning noted that exploit code for the flaw had already been posted on the Web.

The new Microsoft program will include alerts that do not necessarily relate to a flaw, but to issues that could pose a security risk. For example, phishing fraud attacks that rely on social engineering to dupe users into revealing confidential information would not be considered a software vulnerability, but Microsoft might issue a warning about the problem, the company representative said.

In addition, the advisories will notify people about exploit code that has been made public or "proof of concept" code that might be related to a released update or vulnerability.

Each alert will come with a tracking number that will enable people to follow any changes in the warning. An advisory may later turn into a security bulletin, in which a patch will be released. Microsoft has a regular monthly cycle of security updates.

The advisories, however, will not rank the severity of the security problem, Toulouse said. He noted that it would be difficult to have an all-in-one system that would not only rate the severity of a flaw but also of a security hoax or phishing attack.

Thomas Kristensen, chief technology officer at Secunia, applauded Microsoft's move. "We're definitely pleased to see this. In many ways, this will make things easier for us," he said.

PC users might question a flaw alert from a security company if the maker of the software does not acknowledge the problem, Kristensen said.

"If we issue an alert, and Microsoft says nothing to confirm it, then the good guys doubt whether they should take our recommended actions and the bad guys take advantage of this, because they know it will take a while before Microsoft issues patches," Kristensen said.

Microsoft is one of the few software vendors that issue advisories and workarounds for vulnerabilities, Kristensen said. He noted that open-source software vendors, however, will usually provide alerts and list potential workarounds.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 86 Talkback(s)
I just can't grasp you line of thinking
Very twisted.....VERY twisted indeed..... (Read the rest)
Posted by: Crestview Posted on: 07/01/05 You are currently: a Guest | | Terms of Use
Here are two flaws for you, MS.  Xunil_Sierutuf | 05/06/05
well.......  Joe_Wulf@... | 05/06/05
I still dig this one...  rob.astleford@... | 05/06/05
Good idea.  Immanuel Tranz-Mischen | 05/07/05
Administrative account is a huge security hole  SilverEagle_z | 05/06/05
Apples and oranges  Immanuel Tranz-Mischen | 05/07/05
Amazing brain powers....  michael-t | 05/06/05
Amazing...  Oscar_Goldman | 05/06/05
Really?  cburneci@... | 05/06/05
I agree and I disagree.  sidor@... | 05/08/05
Pay Attention  Oscar_Goldman | 05/09/05
Amazing... ROTFL  labarker | 05/06/05
The big, the smart and the ugly  michael-t | 05/06/05
The "Peter Principle" at Microsquash  SilverEagle_z | 05/06/05
Sounds more like the Dilbert Principle to me.  Anton Philidor | 05/07/05
Microsoft products have flaws?!  Anton Philidor | 05/06/05
kindness surely is warrented  Joe_Wulf@... | 05/06/05
People and companies outgrow their wild youth...  Anton Philidor | 05/06/05
Microsoft to sound early alert for flaws  Loverock Davidson | 05/06/05
ROTFLMAO..! That was a blatant Mike Cox..!  Xunil_Sierutuf | 05/06/05
Ignorance...  tty0 | 05/06/05
Mr. Davidson in a nutshell...  MepisLINUXuser | 05/09/05
the answer.........  waylander | 05/10/05
Here's a list to get you going....  figgle | 05/06/05
A good fix for unpatched flaws  MacGeek2121 | 05/06/05
I heartily agree!  Joe_Wulf@... | 05/06/05
Unpatched???  CTOSea | 05/06/05
They can't win  woot! | 05/06/05
Adults  Harry Bardal | 05/06/05
Excellent words of wisdom  Joe_Wulf@... | 05/06/05
How could they win ?  michael-t | 05/06/05
If they werent trying to take over..  MIS Master | 05/06/05
What's new?  tslocum7 | 05/06/05
"they're consistent at putting out flawed software"  Joe_Wulf@... | 05/06/05
Flaws  trm1945 | 05/06/05
And  IT Scion | 05/09/05
microsoft fixes  goldentree | 05/06/05
patchmanagement@listserv.patchmanagement.org  Joe_Wulf@... | 05/06/05
i actually ran into this myself...  Monkey_MCSE | 05/06/05
windows update problems  sparker@... | 05/07/05
Check your date time  Hanover Phist | 05/09/05
My Personal Bane: Persistent Temp Files  tbbrickster_z | 05/06/05
Concerned about tmp IE .gif, .jpg, etc files? From what sites? (nt)  michael-t | 05/06/05
Micro$oft  res0ccxn@... | 05/06/05
... other OS's don't suffer from weekly security drop offs  whisperycat | 05/06/05
thats crap  Buzza_z | 05/06/05
jellyclock2 - funny what os tes.co.uk runs  jjworleyeoe | 05/06/05
A very poor show by the Microsoftie faithfull  whisperycat | 05/07/05
Heres a workaround for ALL win flaws  s_gamgee | 05/06/05
Use one of these PIGS all day  Crestview | 07/01/05
Off on that window s**ks AGAIN  spacednow | 05/06/05
BTW  spacednow | 05/06/05
Protected from the Huns  SilverEagle_z | 05/06/05
Weirdows run Macs  Crestview | 07/01/05
u tell em  waylander | 05/10/05
What's with these guys?  InterestedBystander | 05/12/05
BINGO!  Crestview | 07/01/05
Luck.........  soulcircus | 05/06/05
Could be?  spacednow | 05/06/05
Microsoft's to sound early alert for flaws....  Schroyer2 | 05/06/05
Well.... is it like this.... ?  harrisharris | 05/06/05
Well you proved one thing with your own words  Squawkbox | 05/06/05
...Squawking Box  harrisharris | 05/06/05
Not that easy.  Immanuel Tranz-Mischen | 05/06/05
...why I like Windows.... heh heh  harrisharris | 05/06/05
Gui's, Windows, whatever...  mikelt98 | 05/07/05
Oh Mr. Engineer  Immanuel Tranz-Mischen | 05/07/05
people who "love" Windows say so because it's about thier personal suvival  matrixdomain | 05/06/05
?hut ?ou? ?ittle M?uth Matrix  harrisharris | 05/07/05
Because of Personal Survival?  spacednow | 05/07/05
Now you know how I feel...  Immanuel Tranz-Mischen | 05/07/05
Congratulations You have won todays TROLL award.  Squawkbox | 05/07/05
lol...but  IT Scion | 05/09/05
I just can't grasp you line of thinking  Crestview | 07/01/05
Early Alert for Flaws  beargrub | 05/07/05
Microsoftie where art thou?  zal@... | 05/07/05
Flaw Alerts:  Dr DeLoge | 05/07/05
The Silence......  soulcircus | 05/08/05
in reply  waylander | 05/10/05
Ho Hum  Scander | 05/08/05
Security starts with the user  osreinstall | 05/08/05
Oh my.  draadkar | 05/08/05
MS Security is Not Trustworthy or Acceptable, Yet...  wti | 05/09/05
Why...  IT Scion | 05/09/05
further delayed delivery of MS patches is a fact  wti | 05/10/05
Hourly!  Reverend MacFellow | 05/09/05

What do you think?

advertisement
advertisement

White Papers, Webcasts, and Downloads

Meet Doc