Microsoft Offering Heads-Up on Security

Under the free program, some customers are receiving three business days' notice of how many security fixes Microsoft plans to release in its regularly monthly bulletins, and what Microsoft products are affected. Customers also can learn how severe a threat the flaws pose several days before the general public gets that information.

Redmond-based Microsoft began testing the program last fall, and expanded it in April. It has not been widely publicized, and Microsoft has been offering the service to some customers individually through sales representatives.

Amy Carroll, director of product management for Microsoft's security business and technology unit, said the program is geared toward very large companies, some of which had asked for the service so they could better prepare to deploy the patches. But she said the program is open to anyone willing to sign an agreement promising to keep the information confidential.

About 3,500 customers are taking part.

John Pescatore, vice president for Internet security at research firm Gartner, argued that the program is inherently exclusive because it's only been offered to certain customers. Since most people don't know it exists, that puts many at a disadvantage, he said.

"This is safety-related defect information, and for it to be selectively given to some and not to others is a bad thing," Pescatore said.

Because the information is so general, Carroll said it would not be enough to help a malicious person launch an attack before a patch was generally made public.

But Pescatore said there are circumstances where it could prove to be a security problem. For example, he said an attacker might launch a pre-emptive strike if the person learned that Microsoft planned a software fix.

The fact that the program is subject to a confidentiality agreement means that it must have some potential value for attackers, he said.

"If it's so generic that it can't help attackers, why aren't you telling everybody?" he asked.

The advance notification is only for Microsoft's regularly scheduled monthly patches, which are released on the second Tuesday of each month.

Carroll said Microsoft usually doesn't have the luxury of giving customers three days' notice of fixes that it releases between those planned cycles, since it usually is responding to threats that needs immediate attention.

Microsoft has spent the last couple of years trying to improve security in products such as its ubiquitous Windows operating system and popular Office business software.

Copyright © 2004 The Associated Press. All rights reserved. The information contained in the AP News report may not be published, broadcast, rewritten or redistributed without the prior written authority of The Associated Press.