[ISN] Microsoft Revises Security Bulletins, Rating System

From: InfoSec News (isnat_private)
Date: Tue Nov 19 2002 - 23:56:01 PST

Next message: InfoSec News: "[ISN] Accused Pentagon Hacker's Online Life"

Previous message: InfoSec News: "[ISN] Osama's Plot to Blow-up the Internet on January 11th"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.eweek.com/article2/0,3959,715766,00.asp

By Dennis Fisher 
November 19, 2002 

In the hopes of making its security bulletins more readable, Microsoft
Corp. on Tuesday announced that it has revised the guidelines it uses
to rate the severity of the security vulnerabilities in its products.

The company will also establish a separate mailing list for end users
who don't want or need all of the technical detail in the advisories
it sends out to systems administrators and security specialists.  The
changes are a result of feedback from customers who thought the
bulletins were too detailed and confusing.

The Microsoft Security Response Center, which handles the
investigation of any alleged vulnerabilities in the company's
products, sends out an advisory to its Security Notification Service
mailing list any time there is a confirmed flaw that might affect
multiple customers. The list is open to anyone, but is made up mainly
of highly technical users. As a result, the bulletins mailed out to
the list include a lot of detail on the vulnerability itself, how it
might be exploited and any mitigating factors.

Much of this information is lost on home users, who simply want to
know about the problem and whether they need to install the patch.

"Customer feedback tells us that, while technical professionals value
our security bulletins, many end-users find them overly detailed and
confusing," Steve Lipner, director of security assurance at Microsoft,
in Redmond, Wash., wrote in a message to the mailing list.

The new end-user bulletins will explain the problem and remediation
measures in layman's terms.

The revised guidelines add a fourth severity rating—Important—between
Critical and Moderate. Important vulnerabilities are defined as those
"whose exploitation could result in compromise of the confidentiality,
integrity or availability of users' data, or of the integrity or
availability of processing resources."

Microsoft implemented the rating system last year in an effort to give
users a better idea of which vulnerabilities needed their immediate
attention.

 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.

Next message: InfoSec News: "[ISN] Accused Pentagon Hacker's Online Life"
Previous message: InfoSec News: "[ISN] Osama's Plot to Blow-up the Internet on January 11th"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 20 2002 - 02:25:56 PST