http://news.zdnet.com/2100-1009_22-5697945.html
Go screw, you scummy home computer users! We ain't gonna help
you! Only our beloved corporate customers!
I don't understand why you made that comment. Please explain?
For the benefit of other readers, here is the text of the
announcement:
(QUOTE)
Microsoft to sound early alert for flaws
By Dawn Kawamoto, CNET News.com
Published on ZDNet May 6, 2005, 11:08 AM PT
Microsoft will introduce a security advisory service on Tuesday
that will confirm reports of flaws and provide a workaround until a
patch is released.
The pilot program of Microsoft Security Advisories will strive to
issue an alert within one business day of the company becoming
aware of a problem and offer ways to mitigate it, a Microsoft
representative said.
"Our advisories will allow us to communicate about more things than
just security," said Stephen Toulouse, security program manager in
Microsoft's security response center.
The move comes amid an ongoing debate over how and when information
about vulnerabilities should be disclosed. The software industry
has been urging "responsible" disclosure, in which security
researchers wait until manufacturers have created a patch for a
hole before making the hole public. But some flaw finders have held
to "full" disclosure, in which they reveal a vulnerability as soon
as they discover it. If a flaw is publicized, they argue, software
makers will not drag their feet about fixing it.
In April, security company Secunia sent out a warning about a
"highly critical" vulnerability affecting Microsoft's Office and
Access programs that had not been patched by the software maker.
The warning noted that exploit code for the flaw had already been
posted on the Web.
The new Microsoft program will include alerts that do not
necessarily relate to a flaw, but to issues that could pose a
security risk. For example, phishing fraud attacks that rely on
social engineering to dupe users into revealing confidential
information would not be considered a software vulnerability, but
Microsoft might issue a warning about the problem, the company
representative said.
In addition, the advisories will notify people about exploit code
that has been made public or "proof of concept" code that might be
related to a released update or vulnerability.
Each alert will come with a tracking number, which will enable
people to follow any changes in the warning. An advisory may later
turn into a security bulletin, in which a patch will be released.
Microsoft has a regular monthly cycle of security updates.
The advisories, however, will not rank the severity of the security
problem, Toulouse said. He noted that it would be difficult to have
an all-in-one system that would not only rate the severity of a
flaw but also of a security hoax or phishing attack.
Thomas Kristensen, chief technology officer at Secunia, applauded
Microsoft's move. "We're definitely pleased to see this. In many
ways, this will make things easier for us," he said.
PC users might question a flaw alert from a security company if the
maker of the software does not acknowledge the problem, Kristensen
said.
"If we issue an alert, and Microsoft says nothing to confirm it,
then the good guys doubt whether they should take our recommended
actions and the bad guys take advantage of this, because they know
it will take a while before Microsoft issues patches," Kristensen
said.
Microsoft is one of the few software vendors that issue advisories
and workarounds for vulnerabilities, Kristensen said. He noted that
open-source software vendors, however, will usually provide alerts
and list potential workarounds. (/QUOTE)
