By Gregg Keizer ,
Microsoft has unveiled a new security advisory service to plug the gap between public disclosure of a vulnerability and the availability of a patch.
Dubbed Microsoft Security Advisories, the service is a pilot program begun in response to customer requests, Stephen Toulouse, the program manager of Microsoft Security Research Center (MSRC), said.
"When we got down to it, in the absence of a bulletin, customers wanted us to provide authoritative guidance on security related topics," Toulouse said.
Microsoft's security advisories--the first two of which were issued Tuesday--will offer early workarounds for vulnerabilities before a patch is ready. "If there was public vulnerability posted, the advisories could be used to provide guidance on workarounds," said Toulouse.
In cases such as those, expect to see the advisories morph into actual bulletins, Toulouse added. "We'd put the advisory up, and when a patch is ready, use it to point to the bulletin," he noted
The advisories will follow the general format of the existing security bulletins, because feedback for the latter has been positive and users are familiar with the layout. The two advisories rolled out Tuesday, for example, offer subsections titled "Overview" and "Frequently Asked Questions," just as do Microsoft's monthly security bulletins.
However, the advisories will not come with the severity rankings used for bulletins, which are accompanied by a four-step rating that tops out at "critical."
In some cases, Toulouse said, Microsoft will use the advisories to debunk hoaxes about phony vulnerabilities, or to document updates on earlier vulnerabilities that have been patched, but since then have been exploited in new ways.
"The criteria for issuing bulletins doesn't change," said Toulouse. "If we have to go out of cycle to issue an important patch, we'll do that. The advisories don't nullify that."
"This is definitely a good thing," said John Pescatore, vice president at market researchers Gartner. "The more security advice on how to make Windows protected, the better. Microsoft is pushing the envelope a bit, and breaking with its existing security protocol, but lots of vendors are trying to be more responsive now, and making available more frequent security advice. Frankly, this is the way software vendors have to do it."
One potential problem that Pescatore sees in the advisory program is the fact that advisories will be unscheduled aspect and thus can be issued at any time. "Will they be used only for extraordinary things, or anytime they have a workaround?" he asked.
At Microsoft, Toulouse vowed that the company wouldn't flood users with advisories. He said they would only be issued when Microsoft determined they were "very important."
Try TechWeb's RSS Feed!University of San Diego seeking System Administrator 2 in San Diego, CA
Hebrew Senior Life seeking Network Analyst in Boston, MA
Cirrus Design seeking Web Architect in Duluth, MN
Comcast seeking Tier 4 CRAN Network Engineer in Chelmsford, MA
Lowe's seeking Network Engineer II in Mooresville, NC
For more great jobs, career-related news, features and services, please visit our Career Center.
TechWeb's FREE e-mail newsletters deliver the news you need to come out on top.
Get definitions for more than 20,000 IT terms.
Editorial and vendor perspectives
