Microsoft changes advisory release process |
 |
By Shawna McAlearney, Information Security Magazine Online Editor
16 Oct 2003 | Information Security Magazine |
|
|
Security experts are lauding Microsoft's new plan to release vulnerability advisories once a month, rather than as needed on Wednesdays. Microsoft says the new monthly bulletin release cycle will add a level of predictability and manageability for customers and allow them to test and deploy patches in a timely manner.
"The number of Windows patch files is getting out of hand," says Richard M. Smith, an independent security researcher. "This is a good way of consolidating vast amounts of information."
Security bulletins will be released on the second Tuesday of every month.
"The downside is that if word gets out about a vulnerability, there's a bigger window for exploit," adds Smith. "However, Microsoft says it will continue to release patches early if users are faced by an immediate threat."
The new process will include a bulletin summary that describes issues and severity at a high level and provides pointers to the detailed security bulletin. The security bulletin and Knowledge Base article information will be merged into one comprehensive document. The bulletins will provide additional mitigations to make security response more manageable and give options beyond patching. Also, Microsoft released Windows XP Update Rollup 1 (a cumulative set of hotfixes, security patches and critical updates packaged together for easy deployment) via Windows Update.
The new security bulletin format and process applies to both the technical bulletin and the consumer bulletin.
CEO Steve Ballmer first announced the process at Microsoft's Worldwide Partner Conference.
|
