News

Microsoft Throws Doors Open on Early Security Bulletin Notifications

• By Scott Bekker
• November 04, 2004

The formal name of the program is the Microsoft Security Bulletin Advanced Notification Program. It will consist of a public Web page and, starting in December, an e-mail notification. The notifications will list general information about the upcoming security bulletins three business days ahead of the regular monthly release date for all security bulletins.

The advance notification will not get into the specifics of any vulnerabilities. Instead it will detail the maximum number of bulletins that may be released, the anticipated severity ratings of the bulletins and a list of products that may be affected. "The purpose of the notification is to assist customers with resource planning for the scheduled monthly security bulletin," Microsoft said in a statement Thursday.

There will be two parts to the program, a public Web site and an e-mail blast. Microsoft will publish its general summary of planned security bulletins three business days before each month's scheduled release date. The public posting site is www.microsoft.com/technet/security/default.mspx. Customers will be able to sign up for the e-mail notifications from the same site starting in December, according to Microsoft.

Microsoft posted the first of the advanced security notification on Thursday. The company expects to release one security bulletin next Tuesday. The affected product is Internet Security and Acceleration Server. The maximum severity rating of the update is Important and the patch may require a restart.

Microsoft found itself in a flap earlier in the fall when news outlets reported that some customers were getting advance notice of the security bulletins that come out on the second Tuesday of each month.

As the flap grew, Microsoft released statements trying to clarify that the program released only vague information that wouldn't help bad actors compromise systems before they could be patched. According to statements released by the company in late September, Microsoft started the "heads-up" security bulletin notification program in November 2003 with Premier and other "representative" customers. It was expanded in April 2004 to include all customers who were willing to sign a non-disclosure agreement.

It apparently became a PR issue for Microsoft when one or more of the customers violated the NDA and leaked the notifications.

Asked why Microsoft felt the need to place an NDA on such vague information, a company spokesperson said, "Microsoft wanted to test the program and information provided to customers in a controlled environment to ensure it was valuable to customers and the information being provided did not put customers at risk."

John Pescatore, an analyst covering IT security for Gartner, says Microsoft's decision to open the program is "the right thing to do." Pescatore has been critical of Microsoft's previous handling of the program, especially over the lack of written guidelines.

"It's a big deal when 21 patches come out on a Tuesday. There is a value to the heads up, but it can't be unofficial policy. They might be tempted to do bigger things," Pescatore says. Because the program previously served primarily Microsoft's largest accounts, the software giant might have succumbed to pressure to release more details of the bulletins or early versions of the patches. A leak or the theft of that type of information could give attackers a few extra days to study and exploit flaws before patches became widely available.

Pescatore also contends that smaller customers with little or no IT staff need the poorly promoted program as much, or even more, than large companies with major IT departments.

Senior scientist Russ Cooper of the security company TruSecure, also believes the service is meaningful for customers. "It's about time," Cooper says. "I've had discussions with Microsoft for more than five years regarding getting advanced notices of security bulletins."