Microsoft Throws Doors Open on Early Security Bulletin Notifications

Microsoft officials said on Thursday that the controversial early notification program on security bulletins that has been available to certain customers for a year will be open to everyone starting immediately.

The formal name of the program is the Microsoft Security Bulletin Advanced Notification Program. It will consist of a public Web page and, starting in December, an e-mail notification. The notifications will list general information about the upcoming security bulletins three business days ahead of the regular monthly release date for all security bulletins.

The advance notification will not get into the specifics of any vulnerabilities. Instead it will detail the maximum number of bulletins that may be released, the anticipated severity ratings of the bulletins and a list of products that may be affected. "The purpose of the notification is to assist customers with resource planning for the scheduled monthly security bulletin," Microsoft said in a statement Thursday.

There will be two parts to the program, a public Web site and an e-mail blast. Microsoft will publish its general summary of planned security bulletins three business days before each month's scheduled release date. The public posting site is Customers will be able to sign up for the e-mail notifications from the same site starting in December, according to Microsoft.

Microsoft posted the first of the advanced security notification on Thursday. The company expects to release one security bulletin next Tuesday. The affected product is Internet Security and Acceleration Server. The maximum severity rating of the update is Important and the patch may require a restart.

Microsoft found itself in a flap earlier in the fall when news outlets reported that some customers were getting advance notice of the security bulletins that come out on the second Tuesday of each month.

As the flap grew, Microsoft released statements trying to clarify that the program released only vague information that wouldn't help bad actors compromise systems before they could be patched. According to statements released by the company in late September, Microsoft started the "heads-up" security bulletin notification program in November 2003 with Premier and other "representative" customers. It was expanded in April 2004 to include all customers who were willing to sign a non-disclosure agreement.

It apparently became a PR issue for Microsoft when one or more of the customers violated the NDA and leaked the notifications.

Asked why Microsoft felt the need to place an NDA on such vague information, a company spokesperson said, "Microsoft wanted to test the program and information provided to customers in a controlled environment to ensure it was valuable to customers and the information being provided did not put customers at risk."

John Pescatore, an analyst covering IT security for Gartner, says Microsoft's decision to open the program is "the right thing to do." Pescatore has been critical of Microsoft's previous handling of the program, especially over the lack of written guidelines.

"It's a big deal when 21 patches come out on a Tuesday. There is a value to the heads up, but it can't be unofficial policy. They might be tempted to do bigger things," Pescatore says. Because the program previously served primarily Microsoft's largest accounts, the software giant might have succumbed to pressure to release more details of the bulletins or early versions of the patches. A leak or the theft of that type of information could give attackers a few extra days to study and exploit flaws before patches became widely available.

Pescatore also contends that smaller customers with little or no IT staff need the poorly promoted program as much, or even more, than large companies with major IT departments.

Senior scientist Russ Cooper of the security company TruSecure, also believes the service is meaningful for customers. "It's about time," Cooper says. "I've had discussions with Microsoft for more than five years regarding getting advanced notices of security bulletins."

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus