Microsoft to Limit 'Critical' Security Warnings
As it continues to battle the PR nightmare over software security, Microsoft
A less technical alerting
system has been added to the one used to alert tech professionals,
Microsoft director of security assurance Steve Lipner said in an e-mail.
"In addition, before year's end, we will create a new End User Security
Notification Service that will notify customers of security issues in
end-user-oriented products and provide a link to the appropriate end-user
security bulletin," Lipner added.
He said the move to rejigger the way security alerts are issued was
necessary because end-users were finding the existing system "overly
detailed and confusing."
The Redmond-based software giant also plans to limit the "critical" rating
on security alerts to customers because of fears that too many high-level
alerts were being issued.
Instead of issuing a "critical" rating on vulnerability warnings, Microsoft
has modified its Severity
Rating Criteria to specify clearly which bugs needed to be addressed
immediately.
"There is also a widespread feeling that the Severity Ratings are difficult
to
understand and apply. For these reasons, we have modified (the criteria) to
help customers more easily evaluate the impact of security issues," Lipner
explained.
So far this year, almost half of Microsoft's 64 vulnerability alerts were
tagged with the 'critical' rating and security experts have warned about a
potential "cry wolf" situation if too many insignificant patches came with
the highest-level rating.
plans to change the way vulnerability warnings are
issued, particularly for non-technical end-users.