Microsoft Launches Security Advisory Service

Dubbed Microsoft Security Advisories, the service is a pilot program begun in response to customer requests, Stephen Toulouse, the program manager of Microsoft Security Research Center (MSRC), said.

"When we got down to it, in the absence of a bulletin, customers wanted us to provide authoritative guidance on security related topics," Toulouse said.

Microsoft's security advisories--the first two of which were issued Tuesday--will offer early workarounds for vulnerabilities before a patch is ready. "If there was public vulnerability posted, the advisories could be used to provide guidance on workarounds," said Toulouse.

In cases such as those, expect to see the advisories morph into actual bulletins, Toulouse added. "We'd put the advisory up, and when a patch is ready, use it to point to the bulletin," he noted

The advisories will follow the general format of the existing security bulletins, because feedback for the latter has been positive and users are familiar with the layout. The two advisories rolled out Tuesday, for example, offer subsections titled "Overview" and "Frequently Asked Questions," just as do Microsoft's monthly security bulletins.

However, the advisories will not come with the severity rankings used for bulletins, which are accompanied by a four-step rating that tops out at "critical."

In some cases, Toulouse said, Microsoft will use the advisories to debunk hoaxes about phony vulnerabilities, or to document updates on earlier vulnerabilities that have been patched, but since then have been exploited in new ways.

"The criteria for issuing bulletins doesn't change," said Toulouse. "If we have to go out of cycle to issue an important patch, we'll do that. The advisories don't nullify that."

"This is definitely a good thing," said John Pescatore, vice president at market researchers Gartner. "The more security advice on how to make Windows protected, the better. Microsoft is pushing the envelope a bit, and breaking with its existing security protocol, but lots of vendors are trying to be more responsive now, and making available more frequent security advice. Frankly, this is the way software vendors have to do it."

One potential problem that Pescatore sees in the advisory program is the fact that advisories will be unscheduled aspect and thus can be issued at any time. "Will they be used only for extraordinary things, or anytime they have a workaround?" he asked.

At Microsoft, Toulouse vowed that the company wouldn't flood users with advisories. He said they would only be issued when Microsoft determined they were "very important."