is giving premium customers advance notice of security bulletins, internetnews.com has learned.
The company plans to release two security bulletins, one with a “critical” rating, on Tuesday September 14, in order to plug holes in multiple software products, according to an advance notice sent to select customers.
The note, obtained by internetnews.com, said Microsoft’s September batch of patches will plug a serious vulnerability in Microsoft Windows, Microsoft Office, Microsoft Home, Microsoft Visual Studio, and Microsoft .NET Framework.
A separate patch with an “important” rating will be issued for
Microsoft Office customers, the company said in the notice, which was sent only to premier customers.
“At this time no additional information on these internal bulletins such as details regarding severity or details regarding the
vulnerability will be made available until 14 September 2004,” according
to the notice.
While Microsoft said the number of bulletins, products affected,
restart information and severities are subject to change until released, it appears there won’t be a patch this month for a “highly critical” bug
in Internet Explorer browser’s drag-and-drop feature. The bug could put millions of Web surfers at risk of malicious hacker attacks. A public warning for that vulnerability was issued on August 19.
In a statement released to internetnews.com, Microsoft
confirmed the pre-release of information to premier and other
representative customers. “Based on customer feedback, Microsoft
started a ‘heads-up’ security bulletin notification program in November 2003 with Premier and other representative customers. The program was well-received and feedback from participating customers was very positive; consequently, the program was expanded in April 2004 to include all customers who will sign an appropriate non-disclosure agreement,” the company added.
Microsoft said the program is designed to provide very limited
information in a brief e-mail three business days before the anticipated release of monthly security bulletins. It also said the notification is to assist customers with resource planning for the monthly security bulletin release.
Microsoft insisted the information provided in the notice was “very basic in nature” and intended only to provide general guidelines concerning the maximum number of bulletins that may be released, the anticipated severity ratings, and an overview of products that may be
affected. “The information is purposely not specific and does not
disclose any vulnerability details or other information that could put
customers at risk.”
However, the availability of advance notice for high-end customers
isn’t likely to sit well with most Microsoft customers who must wait for
the public release of bulletins on the second Tuesday of every month.
The move could also raise the ire of independent security researchers
who detect software flaws and work privately with Microsoft ahead of
coordinated public disclosure.
While Microsoft has typically provided warnings ahead of time to ISVs
if a patch will disrupt a specific application, advance notice of
specific software patches are never released.
In the notice, which was seen by internetnews.com, Microsoft
said it was intended to “help our customers plan for the deployment of
these security updates more effectively. The goal is to provide our Premier customers with information on soon-to-be released security updates.”
However, Gartner security analyst John Pescatore described the
pre-release of security information to high-end customers only as “an
extremely dangerous practice.”
“I know that Microsoft provides some advance warning to the
Department of Homeland Security on things that could affect critical
infrastructure. But I’ve never seen Microsoft give advance information only to customers who pay. That would be a terrible thing to do,”
“That should only be allowed when we are talking about
vulnerabilities that affect critical infrastructure. Not ‘pay me more
and I’ll tell you earlier’. It’s a very bad practice.”
The Gartner vice president said the notice would be akin to an independent
researcher or hacker finding a vulnerability and sharing the information
before a patch is available. “If Ford decided to issue recall notices
for faulty brakes only to people who paid for extended warranty, that
won’t fly. That would be a horrible thing to do.”
The U.S. government’s Computer Emergency Readiness Team (US-CERT) has
also been heavily criticized for providing security advisories to paying
customers ahead of coordinated public release.
Last January, research firm Next Generation Security Software (NGSS)
ties with the federally funded US-CERT and accused the organization
of selling early access to vulnerability warnings long before vendor
fixes are made available.
At the time, NGSS co-founder Mark Litchfield said it was “annoying”
that CERT gave early warning on six vulnerabilities to its paid sponsors
before vendor patches were created and made available. “The problem
became apparent when the vendor we’re working with on these
vulnerabilities said they were contacted by government departments. CERT
notified them ahead of patches being made available. We did not know
about this policy to share this information with people who pay for that
privilege,” Litchfield argued.
NGSS at the time vowed that it would cut off CERT from all future bug
warnings until the organization signed a binding non-disclosure
agreement that it would not share early access with its paid sponsors.