RealTime IT News

MS Premium Customers Get Early Security Warnings

Microsoft is giving premium customers advance notice of security bulletins, internetnews.com has learned.

The company plans to release two security bulletins, one with a "critical" rating, on Tuesday September 14, in order to plug holes in multiple software products, according to an advance notice sent to select customers.

The note, obtained by internetnews.com, said Microsoft's September batch of patches will plug a serious vulnerability in Microsoft Windows, Microsoft Office, Microsoft Home, Microsoft Visual Studio, and Microsoft .NET Framework.

A separate patch with an "important" rating will be issued for Microsoft Office customers, the company said in the notice, which was sent only to premier customers.

"At this time no additional information on these internal bulletins such as details regarding severity or details regarding the vulnerability will be made available until 14 September 2004," according to the notice.

While Microsoft said the number of bulletins, products affected, restart information and severities are subject to change until released, it appears there won't be a patch this month for a "highly critical" bug in Internet Explorer browser's drag-and-drop feature. The bug could put millions of Web surfers at risk of malicious hacker attacks. A public warning for that vulnerability was issued on August 19.

In a statement released to internetnews.com, Microsoft confirmed the pre-release of information to premier and other representative customers. "Based on customer feedback, Microsoft started a 'heads-up' security bulletin notification program in November 2003 with Premier and other representative customers. The program was well-received and feedback from participating customers was very positive; consequently, the program was expanded in April 2004 to include all customers who will sign an appropriate non-disclosure agreement," the company added.

Microsoft said the program is designed to provide very limited information in a brief e-mail three business days before the anticipated release of monthly security bulletins. It also said the notification is to assist customers with resource planning for the monthly security bulletin release.

Microsoft insisted the information provided in the notice was "very basic in nature" and intended only to provide general guidelines concerning the maximum number of bulletins that may be released, the anticipated severity ratings, and an overview of products that may be affected. "The information is purposely not specific and does not disclose any vulnerability details or other information that could put customers at risk."

However, the availability of advance notice for high-end customers isn't likely to sit well with most Microsoft customers who must wait for the public release of bulletins on the second Tuesday of every month.

The move could also raise the ire of independent security researchers who detect software flaws and work privately with Microsoft ahead of coordinated public disclosure.

While Microsoft has typically provided warnings ahead of time to ISVs if a patch will disrupt a specific application, advance notice of specific software patches are never released.

In the notice, which was seen by internetnews.com, Microsoft said it was intended to "help our customers plan for the deployment of these security updates more effectively. The goal is to provide our Premier customers with information on soon-to-be released security updates."

However, Gartner security analyst John Pescatore described the pre-release of security information to high-end customers only as "an extremely dangerous practice."

"I know that Microsoft provides some advance warning to the Department of Homeland Security on things that could affect critical infrastructure. But I've never seen Microsoft give advance information only to customers who pay. That would be a terrible thing to do," Pescatore said.

"That should only be allowed when we are talking about vulnerabilities that affect critical infrastructure. Not 'pay me more and I'll tell you earlier'. It's a very bad practice."

The Gartner vice president said the notice would be akin to an independent researcher or hacker finding a vulnerability and sharing the information before a patch is available. "If Ford decided to issue recall notices for faulty brakes only to people who paid for extended warranty, that won't fly. That would be a horrible thing to do."

The U.S. government's Computer Emergency Readiness Team (US-CERT) has also been heavily criticized for providing security advisories to paying customers ahead of coordinated public release.

Last January, research firm Next Generation Security Software (NGSS) severed ties with the federally funded US-CERT and accused the organization of selling early access to vulnerability warnings long before vendor fixes are made available.

At the time, NGSS co-founder Mark Litchfield said it was "annoying" that CERT gave early warning on six vulnerabilities to its paid sponsors before vendor patches were created and made available. "The problem became apparent when the vendor we're working with on these vulnerabilities said they were contacted by government departments. CERT notified them ahead of patches being made available. We did not know about this policy to share this information with people who pay for that privilege," Litchfield argued.

NGSS at the time vowed that it would cut off CERT from all future bug warnings until the organization signed a binding non-disclosure agreement that it would not share early access with its paid sponsors.