Microsoft revamps security hole approach

Microsoft has a new security service that will provide an immediate response when researchers publicize unpatched vulnerabilities.

The pilot program run by the Microsoft Security Response Center (MSRC) and called simply Microsoft Security Advisories, complements the monthly scheduled Security Bulletins ordinarily accompanied by patches.

Unlike the bulletins though, advisories will not have to meet any fixed schedule, being issued instead as soon as possible after a vulnerability is disclosed, Microsoft said.

The advisories will be used to address various issues arising between the monthly bulletins, including vulnerability disclosures and phishing scams.

The advisories “will address security changes that may not require a security bulletin but that may still impact customers’ overall security,” said Nick McGrath, Microsoft’s head of platform strategy. “Customers have told us that they want more prescriptive and timely guidance on security issues.”

In the past, Microsoft has limited its detailed comments to the monthly bulletins, responding to other issues with short statements. A noticeable shift came last month when MSRC program manager Stephen Toulouse used the MSRC blog to discuss a flaw that had been disclosed in Windows 2000 systems. Typically, Microsoft uses such discussions to downplay the severity of unpatched flaws.

The advisory system is the latest development in an ongoing debate over how software vendors and security researchers should balance the need for users to be aware of vulnerabilities with the need for discretion. Microsoft has criticized security researchers for discussing flaws before a patch has been released. For their part, many researchers have said they only disclose vulnerability information if they are unable to convince Microsoft to take action.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now