Microsoft to sound early alert for flaws
Pilot program will send out advisories to confirm reports of flaws and tell PC owners how to deal with them until they're patched.
The pilot program of Microsoft Security Advisories will strive to issue an alert within one business day of the company becoming aware of a problem and offer ways to mitigate it, a Microsoft representative said.
"Our advisories will allow us to communicate about more things than just security," said Stephen Toulouse, security program manager in Microsoft's security response center.
The move comes amid an ongoing debate over how and when information about vulnerabilities should be disclosed. The software industry has been urging "responsible" disclosure, in which security researchers wait until manufacturers have created a patch for a hole before making the public aware of the problem. But some flaw finders have held to "full" disclosure, in which they reveal a vulnerability as soon as they discover it. If a flaw is publicized, they argue, software makers will not drag their feet about fixing it.
In April, security company Secunia sent out a warning about a "highly critical" vulnerability affecting Microsoft's Office and Access programs that had not been patched by the software maker. The warning noted that exploit code for the flaw had already been posted on the Web.
The new Microsoft program will include alerts that do not necessarily relate to a flaw, but to issues that could pose a security risk. For example, phishing fraud attacks that rely on social engineering to dupe users into revealing confidential information would not be considered a software vulnerability, but Microsoft might issue a warning about the problem, the company representative said.
In addition, the advisories will notify people about exploit code that has been made public or "proof of concept" code that might be related to a released update or vulnerability.
Each alert will come with a tracking number that will enable people to follow any changes in the warning. An advisory may later turn into a security bulletin, in which a patch will be released. Microsoft has a regular monthly cycle of security updates.
The advisories, however, will not rank the severity of the security problem, Toulouse said. He noted that it would be difficult to have an all-in-one system that would not only rate the severity of a flaw but also of a security hoax or phishing attack.
Thomas Kristensen, chief technology officer at Secunia, applauded Microsoft's move. "We're definitely pleased to see this. In many ways, this will make things easier for us," he said.
PC users might question a flaw alert from a security company if the maker of the software does not acknowledge the problem, Kristensen said.
"If we issue an alert, and Microsoft says nothing to confirm it, then the good guys doubt whether they should take our recommended actions and the bad guys take advantage of this, because they know it will take a while before Microsoft issues patches," Kristensen said.
Microsoft is one of the few software vendors that issue advisories and workarounds for vulnerabilities, Kristensen said. He noted that open-source software vendors, however, will usually provide alerts and list potential workarounds.