November 19, 2002 7:45 AM PST
Microsoft to simplify security alerts
The company notified customers of pending changes to security alert bulletins in an e-mail sent Tuesday to the Microsoft Security Notification Service mailing list.
"Customer feedback tells us that, while technical professionals value our security bulletins, many end-users find them overly detailed and confusing," Steve Lipner, director of Microsoft Security Assurance, wrote in the e-mail. He also noted that many people receive notices that would be "of interest only to developers or system administrators."
To address both issues, Microsoft plans to "create a less technical end-user security bulletin that we will host, while continuing to offer more technical alerts for technology professionals. The new end-user security bulletins will describe straightforward steps that customers can take to help keep their systems secure," Lipner wrote.
Those bulletins, like the more business-oriented ones, will be available at Microsoft's security Web site.
"In addition, before year's end, we will create a new End User Security Notification Service that will notify customers of security issues in end-user-oriented products and provide a link to the appropriate end-user security bulletin," Lipner wrote.
Microsoft stepped up its emphasis on security in January, when Chairman Bill Gates sent an e-mail to employees making security the company's No. 1 priority--ahead of adding new product features.
The company then unleashed a torrent of security alerts, after Microsoft developers uncovered problems during several intensive rounds of code reviews. So far this year, Microsoft has issued 64 security bulletins, exceeding by October the number of alerts sent out in all of 2001. Each bulletin can sometimes describe two, three or more separate security problems.
Analysts gave Microsoft high marks for attempting to clean up its security bulletins, which they agreed are too difficult for most people to decipher.
"Existing Microsoft security bulletins assume that the reader is a programmer," said independent security consultant Richard Smith. "Of course, most Microsoft customers are not programmers and therefore need simpler explanations of security problems."
According to Robert McLaws, President of Interscape Technologies, "Computer security is not just an IT concern, but as of right now the only way to get security bulletins is through their (Microsoft's) IT assistance channels.
"Security alerts targeted to laypeople is definitely a good idea, although I'm sure it will be difficult for tech people to simplify the concepts into nontech terms. It is definitely a step in the right direction," McLaws said.
Besides changes to alerts, Microsoft also is revamping how security alerts are rated. The company had been rating severity of security problems as "low," "moderate" or "critical."
Many people "find that the ratings fail to clearly identify the most serious issues," Lipner wrote. "There is also a widespread feeling that the Severity Ratings are difficult to understand and apply."
Microsoft has added a fourth severity designation, "important," and posted clearer explanations what each of the four ratings mean.