Microsoft Corp. has quietly begun giving some of its largest customers early warning of what types of security patches it will be releasing, so the companies can plan better.
Under the free program, some customers are receiving three business days' notice of how many security fixes Microsoft plans to release in its regularly monthly bulletins, and what Microsoft products are affected. Customers also can learn how severe a threat the flaws pose several days before the general public gets that information.
Redmond-based Microsoft began testing the program last fall, and expanded it in April. It has not been widely publicized, and Microsoft has been offering the service to some customers individually through sales representatives.
Amy Carroll, director of product management for Microsoft's security business and technology unit, said the program is geared toward very large companies, some of which had asked for the service so they could better prepare to deploy the patches. But she said the program is open to anyone willing to sign an agreement promising to keep the information confidential.
About 3,500 customers are taking part.
John Pescatore, vice president for Internet security at research firm Gartner, argued that the program is inherently exclusive because it's only been offered to certain customers. Since most people don't know it exists, that puts many at a disadvantage, he said.
"This is safety-related defect information, and for it to be selectively given to some and not to others is a bad thing," Pescatore said.
Because the information is so general, Carroll said it would not be enough to help a malicious person launch an attack before a patch was generally made public.
But Pescatore said there are circumstances where it could prove to be a security problem. For example, he said an attacker might launch a pre-emptive strike if the person learned that Microsoft planned a software fix.
The fact that the program is subject to a confidentiality agreement means that it must have some potential value for attackers, he said.
"If it's so generic that it can't help attackers, why aren't you telling everybody?" he asked.
The advance notification is only for Microsoft's regularly scheduled monthly patches, which are released on the second Tuesday of each month.
Carroll said Microsoft usually doesn't have the luxury of giving customers three days' notice of fixes that it releases between those planned cycles, since it usually is responding to threats that needs immediate attention.
Microsoft has spent the last couple of years trying to improve security in products such as its ubiquitous Windows operating system and popular Office business software.
Copyright © 2004 The Associated Press. All rights reserved. The information contained in the AP News report may not be published, broadcast, rewritten or redistributed without the prior written authority of The Associated Press.
|
10 Challenges That HP Wants Partners To Tackle Right Now CRN speaks with HP's business unit chiefs to get a sense of where they'd like partners to focus in the coming year, as well as how CEO Meg Whitman is making a difference. |
|
VAR500: IBM Strikes Deal With Ukraine Bank; HP Bolsters Health-Care Practice CRN VAR500 solution providers win health-care contracts, work on European banking solution, create a platform for microlending, sharing info on cloud computing and more. |
|
Five Companies That Dropped The Ball This Week For the week ending Feb. 3, CRN looks at five companies that were either asleep at the wheel or just didn't make good decisions. |
 More
Slide Shows |
