Microsoft Opens Access to Vulnerability Notifications

joseph schmo writes "Microsoft has announced that it will throw open the floodgates of vulnerability notifications for everyone who wants them. Previously, it was only offering early notifications to 'Premier and other 'representative' customers,' or those customers who would sign a Non-disclosure statement."

Just finally?

About 5 years too late I think.

Self Discipline?

[Amiga+Lover]

If this is indeed as open as it sounds, then it's a massive step forward. MS will be forcing itself not to become complacent and hide behind the obscurity of a vulnerability that may not be known, but instead will have to deal with the vulnerability in the correct way - fixing the thing.

Whether it's actually this open, and whether they do end up fixing more problems because of it still has to be seen. Past behaviour has me cynical.

Re:Self Discipline?

[blowdart]

MS will be forcing itself not to become complacent and hide behind the obscurity of a vulnerability that may not be known, but instead will have to deal with the vulnerability in the correct way - fixing the thing.

Hold on. By giving a summary of fixes coming up, thus indicating the fix is already there does not change anything, or do what you suggest. This is not full disclosure of unfixed problems.

All that's happening is you'll get advanced summaries of what the monthly security updates will contain. They've already fixed it when this happens.

Re:Who cares?

[metlin]

Well, it had to happen eventually.

I suspect that they came under a lot of fire for not having opened it up to everyone, especially since it would help alleviate a lot of the issues due to vulnerabilities, particularly worms.

Good thing, atleast they listen :-)

Re:Who The Hell Uses Microsoft Products Anymore?

[Tim+C]

Expensive

Compared to what? My PC cost ten times what I can buy XP Pro for. I've personally used software costing hundreds of thousands of pounds.

buggy

Show me a complex piece of software that doesn't suffer from bugs. Linux distributors and Apple also release buggy software (and no, pointing out that most of the software that comes with a Linux distro is written by third parties is not an excuse - the distributor has the source and chooses to include the app. They assume some responsibility for it)

insecure

Put it behind a firewall, keep it up to date with patches, and don't be an idiot about using it - just as you should be doing with any network-aware piece of software.

Hasn't everyone moved on to OS X and Linux?

Actuall, I've moved back to Windows having used Linux for a couple of years. No real complaints, it just doesn't run some software I need to use, and most of the things that bugged the shit out of me about Windows have been fixed. The right tool for the right job; in my case, that's currently Windows.

No real difference

[dcam]

From the Article all this means that you get an extra 3 days notice before the monthly release of security bulletins. What is the point of that?

The problem with the new MS regime of patching cycle is that they did not release information as it became available to them. Microsoft should release patches as soon as they are available, not on a monthly cycle. The current MS situation means that you arr vulernable for up to a month (if not more).

Microsoft's initial assumtion that virus's & scripts are released only when the patch is release is largely flawed.

Re:No real difference

[ctr2sprt]

The problem with the new MS regime of patching cycle is that they did not release information as it became available to them. Microsoft should release patches as soon as they are available, not on a monthly cycle.

What's to be gained from that? "There's a critical IIS vulnerability that allows remote attackers to take complete control of your computer. Sorry, no patch yet. We recommend firewalling ports 80 and 443 or disabling IIS on your web server."

Recently, at least, MS has been telling us in advance of workarounds for critical vulnerabilities where a workaround exists. (For example, disabling ActiveX in IE.) Even when they don't have a real fix yet.

Microsoft's initial assumtion that virus's & scripts are released only when the patch is release is largely flawed.

I'm not sure that's their assumption at all. I think it's more like "Why draw attention to something bad we can't do anything about yet?" You're certainly right that some attacks begin before the patch is released. But remember that all the biggest worms - at least that I can remember - exploit vulnerabilities that were fixed by MS months before.

I really don't have any problems with MS's approach to issuing patches. Considering what they have to work with - a painfully insecure, bloated, complex, closed-source operating system - they are really doing about the best they can. (If you want to fault them for any of those problems I just listed, I'll absolutely agree with you.)

Re:Who cares?

Corporate sysadmins care. If you have three days warning of a really urgent patch, then you get to plan the patching better: notify users, set up testing, arrange overtime etc.

very troubling

It's very troubling that they haven't been disclosing these vulnerabilities all along.

MS clearly has a culture that encouraged secrecy (or semi-secrecy) for many years about this. A sudden change in policy does not mean that the underlying culture has changed. It just means that there's now a certain amout of internal grumbling within MS about this new "reckless policy of airing our dirty laundry in public".

The true problem at MS is a poisonous culture that places a premium on secrecy: Closed source. Closed bug lists. It's all part of the same basic cultural weakness.