Microsoft security advisories draw mixed reviews

With its May patch cycle, the software maker began sending out security alerts that don't come with patches. The value of such alerts is a matter of debate. Meanwhile, one researcher warns that June could be a busy month for Microsoft patches.

While this month saw only one new security patch from Microsoft, June might be a different story.

"We're thinking that next month is going to be another big month," said Mark Loveless, senior security analyst with BindView Corp., in Houston. "You hear this researcher say, 'I've got a bug and we're close.' This could be a pretty good month."

The "important" patch released this month -- MS05-024 -- fixed a flaw in how some HTML characters in preview fields are seen in Web view in Windows Explorer. Unpatched, it could allow code to be remotely executed. Windows 98 and Windows 2000 systems are vulnerable, but Windows XP and Windows 2003 are not.

The value of security advisories

In this month's security announcement cycle, Microsoft began releasing security advisories -- without accompanying software updates -- to mixed

More on patching

Read up on the latest news, expert advice, tips and Webcasts on patch management

Five ways to simplify the vulnerability management lifecycle

reviews. The advisories referenced problems with TCP, Windows Media Player and Exchange Server 2003. One of them, an Exchange advisory, clarifies the purpose of the tar pit feature, and points users to Knowledge Base article 842851.

Loveless didn't find the advisories to be useful. "To me that's just spin," he said. "It's PR so they are just acknowledging a problem that already exists. One would assume that they're always working on some problem. It doesn't add anything to anything, in my opinion."

But Mohammed Athif Khaleel, a Microsoft most valuable professional (MVP) for Windows Server, said he thinks the advisories do benefit users. The advisories, he said, serve as advance notice for patches that might be coming down the road.

WSUS print status problem

Khaleel said he reported a flaw in print status of bulletins to the Microsoft WSUS. The cause of the problem is unknown, he said, but users can work around it by saving the bulletin with a .htm extension, opening it and printing.

A Microsoft spokesperson confirmed that the company's Security Response Center is aware of the printing problem, but said that no firm date has been set for a fix. The company also re-released four bulletins with additional information, but did not change the patches: MS05-009, MS05-019, MS05-022 and MS05-023.

A question of response time

As for Microsoft's security update strategy, Loveless said the company has made progress, but it still has a long way to go.

"Before, you basically had to release exploit code to get them to leap," Loveless said. "To this day, we still have to push them to make sure that they do things, so a lot of behind-the-scenes trying to hold their feet to the fire still goes on between Microsoft and researchers. But in a lot of cases, they are much more responsive."

However, in an informal trial, Loveless said that Microsoft's automated testing service took much longer than anticipated to update the security notifications.

"In a couple of cases it took about a week, which is not great, because during the same time, before that happened, you had exploit code coming out," Loveless said. "I think their patching services, as far as the automated services, need some improvement."

Note: This article originally appeard on SearchWindowsSecurity.com.

Dig deeper on Windows Security: Alerts, Updates and Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close