Microsoft will introduce a security advisory service on Tuesday that will confirm reports of flaws and provide a workaround until a patch is released.
The pilot program of Microsoft Security Advisories will strive to issue an alert within one business day of the company becoming aware of a problem and offer ways to mitigate it, a Microsoft representative said.
"Our advisories will allow us to communicate about more things than just security," said Stephen Toulouse, security program manager in Microsoft's security response center.
The move comes amid an ongoing debate over how and when information about vulnerabilities should be disclosed. The software industry has been urging "responsible" disclosure, in which security researchers wait until manufacturers have created a patch for a hole before making the public aware of the problem. But some flaw finders have held to "full" disclosure, in which they reveal a vulnerability as soon as they discover it. If a flaw is publicized, they argue, software makers will not drag their feet about fixing it.
In April, security company Secunia sent out a warning about a "highly critical" vulnerability affecting Microsoft's Office and Access programs that had not been patched by the software maker. The warning noted that exploit code for the flaw had already been posted on the Web.
The new Microsoft program will include alerts that do not necessarily relate to a flaw, but to issues that could pose a security risk. For example, phishing fraud attacks that rely on social engineering to dupe users into revealing confidential information would not be considered a software vulnerability, but Microsoft might issue a warning about the problem, the company representative said.
In addition, the advisories will notify people about exploit code that has been made public or "proof of concept" code that might be related to a released update or vulnerability.
Each alert will come with a tracking number that will enable people to follow any changes in the warning. An advisory may later turn into a security bulletin, in which a patch will be released. Microsoft has a regular monthly cycle of security updates.
The advisories, however, will not rank the severity of the security problem, Toulouse said. He noted that it would be difficult to have an all-in-one system that would not only rate the severity of a flaw but also of a security hoax or phishing attack.
Thomas Kristensen, chief technology officer at Secunia, applauded Microsoft's move. "We're definitely pleased to see this. In many ways, this will make things easier for us," he said.
PC users might question a flaw alert from a security company if the maker of the software does not acknowledge the problem, Kristensen said.
"If we issue an alert, and Microsoft says nothing to confirm it, then the good guys doubt whether they should take our recommended actions and the bad guys take advantage of this, because they know it will take a while before Microsoft issues patches," Kristensen said.
Microsoft is one of the few software vendors that issue advisories and workarounds for vulnerabilities, Kristensen said. He noted that open-source software vendors, however, will usually provide alerts and list potential workarounds.
... to think that, after so many years of WIndows versions, there are any security flaws left. Sure, Windows is a lot of code, but it's MS's code. And MS has had the income and the time to have a whole group of software engineers working on just detecting the flaws and fixing WIndows.
The two telecom carriers will carry a next-generation iPad running on the fast, next-generation wireless technology, sources tell The Wall Street Journal.
Google creates an animated doodle that features a boy, a girl, Google's search engine, and a jump rope. But might there be darker, more analytical, more troubling interpretations to this tale?
The Silicon Valley online payments startup grew by 1,000 percent last year and is hopeful it can repeat that level of growth this year. To do that, it's had to move away from its early friends-and-family roots and embrace small businesses.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
any security flaws left. Sure, Windows is a lot of code, but it's MS's
code. And MS has had the income and the time to have a whole
group of software engineers working on just detecting the flaws
and fixing WIndows.
Or so you'ld think.