We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Microsoft revamps security hole approach

Timely advisories to monthly Security Bulletins now in pilot program

Microsoft has a new security service that will provide an immediate response when researchers publicise unpatched vulnerabilities.

The pilot program, run by the Microsoft Security Response Center (MSRC) and called simply Microsoft Security Advisories, complements the monthly scheduled Security Bulletins ordinarily accompanied by patches.

Unlike the bulletins, though, advisories will not have to meet any fixed schedule, being issued instead as soon as possible after a vulnerability is disclosed.

The advisories will be used to address issues arising between the monthly bulletins, including vulnerability disclosures and phishing scams.

The advisories "will address security changes that may not require a security bulletin but that may still impact customers' overall security," says Nick McGrath, Microsoft's head of platform strategy. "Customers have told us that they want more prescriptive and timely guidance on security issues."

In the past, Microsoft has limited its detailed comments to the monthly bulletins, responding to other issues with short statements. A noticeable shift came last month when MSRC program manager Stephen Toulouse wrote an MSRC blog to discuss a flaw that had been disclosed in Windows 2000 systems. Typically, Microsoft has used such discussions to downplay the severity of unpatched flaws.

The advisory system is the latest development in an ongoing debate over how software vendors and security researchers should balance the need for users to be aware of vulnerabilities with the need for discretion. Microsoft has criticized security researchers for discussing flaws before a patch has been released. For their part, many researchers have said they only disclose vulnerability information if they are unable to convince Microsoft to take action.


IDG UK Sites

5 reasons not to wait for the Apple Watch: Why you shouldn't buy the iWatch

IDG UK Sites

Why local multiplayer gaming is rapidly vanishing: we look at the demise of split-screen and LAN...

IDG UK Sites

How Emotional Debt is damaging digital design

IDG UK Sites

How to update your iPhone or iPad to iOS 8: including how to install iOS 8 if you don't have room