Microsoft to Limit ‘Critical’ Security Warnings

As it continues to battle the PR nightmare over software security, Microsoft
plans to change the way vulnerability warnings are
issued, particularly for non-technical end-users.

A less technical alerting
system has been added to the one used to alert tech professionals,
Microsoft director of security assurance Steve Lipner said in an e-mail.

“In addition, before year’s end, we will create a new End User Security
Notification Service that will notify customers of security issues in
end-user-oriented products and provide a link to the appropriate end-user
security bulletin,” Lipner added.

He said the move to rejigger the way security alerts are issued was
necessary because end-users were finding the existing system “overly
detailed and confusing.”

Now, the plan is to issue separate alerts meaning that subscribers to
Microsoft’s Security Notification Service would receive bulletins “that are
of interest only to developers or system administrators,” Lipner added.

The Redmond-based software giant also plans to limit the “critical” rating
on security alerts to customers because of fears that too many high-level
alerts were being issued.

Instead of issuing a “critical” rating on vulnerability warnings, Microsoft
has modified its Severity
Rating Criteria to specify clearly which bugs needed to be addressed
immediately.

“There is also a widespread feeling that the Severity Ratings are difficult
to
understand and apply. For these reasons, we have modified (the criteria) to
help customers more easily evaluate the impact of security issues,” Lipner
explained.

So far this year, almost half of Microsoft’s 64 vulnerability alerts were
tagged with the ‘critical’ rating and security experts have warned about a
potential “cry wolf” situation if too many insignificant patches came with
the highest-level rating.