[ISN] Microsoft Revises Security Bulletins, Rating System

From: InfoSec News (isnat_private)
Date: Tue Nov 19 2002 - 23:56:01 PST

  • Next message: InfoSec News: "[ISN] Accused Pentagon Hacker's Online Life"

    By Dennis Fisher 
    November 19, 2002 
    In the hopes of making its security bulletins more readable, Microsoft
    Corp. on Tuesday announced that it has revised the guidelines it uses
    to rate the severity of the security vulnerabilities in its products.
    The company will also establish a separate mailing list for end users
    who don't want or need all of the technical detail in the advisories
    it sends out to systems administrators and security specialists.  The
    changes are a result of feedback from customers who thought the
    bulletins were too detailed and confusing.
    The Microsoft Security Response Center, which handles the
    investigation of any alleged vulnerabilities in the company's
    products, sends out an advisory to its Security Notification Service
    mailing list any time there is a confirmed flaw that might affect
    multiple customers. The list is open to anyone, but is made up mainly
    of highly technical users. As a result, the bulletins mailed out to
    the list include a lot of detail on the vulnerability itself, how it
    might be exploited and any mitigating factors.
    Much of this information is lost on home users, who simply want to
    know about the problem and whether they need to install the patch.
    "Customer feedback tells us that, while technical professionals value
    our security bulletins, many end-users find them overly detailed and
    confusing," Steve Lipner, director of security assurance at Microsoft,
    in Redmond, Wash., wrote in a message to the mailing list.
    The new end-user bulletins will explain the problem and remediation
    measures in layman's terms.
    The revised guidelines add a fourth severity ratingóImportantóbetween
    Critical and Moderate. Important vulnerabilities are defined as those
    "whose exploitation could result in compromise of the confidentiality,
    integrity or availability of users' data, or of the integrity or
    availability of processing resources."
    Microsoft implemented the rating system last year in an effort to give
    users a better idea of which vulnerabilities needed their immediate
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Nov 20 2002 - 02:25:56 PST