http://www.eweek.com/article2/0,3959,715766,00.asp By Dennis Fisher November 19, 2002 In the hopes of making its security bulletins more readable, Microsoft Corp. on Tuesday announced that it has revised the guidelines it uses to rate the severity of the security vulnerabilities in its products. The company will also establish a separate mailing list for end users who don't want or need all of the technical detail in the advisories it sends out to systems administrators and security specialists. The changes are a result of feedback from customers who thought the bulletins were too detailed and confusing. The Microsoft Security Response Center, which handles the investigation of any alleged vulnerabilities in the company's products, sends out an advisory to its Security Notification Service mailing list any time there is a confirmed flaw that might affect multiple customers. The list is open to anyone, but is made up mainly of highly technical users. As a result, the bulletins mailed out to the list include a lot of detail on the vulnerability itself, how it might be exploited and any mitigating factors. Much of this information is lost on home users, who simply want to know about the problem and whether they need to install the patch. "Customer feedback tells us that, while technical professionals value our security bulletins, many end-users find them overly detailed and confusing," Steve Lipner, director of security assurance at Microsoft, in Redmond, Wash., wrote in a message to the mailing list. The new end-user bulletins will explain the problem and remediation measures in layman's terms. The revised guidelines add a fourth severity rating—Important—between Critical and Moderate. Important vulnerabilities are defined as those "whose exploitation could result in compromise of the confidentiality, integrity or availability of users' data, or of the integrity or availability of processing resources." Microsoft implemented the rating system last year in an effort to give users a better idea of which vulnerabilities needed their immediate attention. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Nov 20 2002 - 02:25:56 PST