This Alert is to make you aware of a pilot program for a new public security communications offering: Microsoft Security Advisories.
Microsoft Security Advisories aim to provide guidance and information about security related software changes or software updates. Microsoft Security Advisories are a supplement to the Microsoft Security Bulletins and are a way for Microsoft to communicate security information to customers on issues that may not be classified as a vulnerability and may not require a security bulletin. Each advisory will be accompanied with a unique Knowledge Base Article number for reference to provide additional information about the changes. Some examples of topics future security advisories may discuss include:
- Software Updates that may provide "Defense in Depth" security enhancements or changes unrelated to security vulnerabilities
- Guidance and mitigations that may be applicable for publicly disclosed vulnerabilities
- Notification of public exploit code or Proof of concept code that might be related to a released update or vulnerability
Microsoft is committed to providing timely and prescriptive guidance, and we encourage customers to provide feedback on this pilot to help us make this offering valuable. Feedback can be provided by using the 'Contact Us' feature on the advisories.
Q: What kind of information will security advisories contain?
A: Security advisories contain a top level summary detailing the reason for issuing the advisory, frequently asked questions and suggested actions .Once issued, advisories may be revised as needed to reflect new information or guidance.
Q: What is the specific criteria that Microsoft uses to determine whether a security advisory is needed?
A: Microsoft is using this pilot opportunity to gain feedback on the security advisories and will use that feedback to determine how the advisories can be of the most value to them. Our goal is to incorporate that feedback to further determine how often customers need security advisories and in what instances they are most valuable.
Q: How are security advisories different than security bulletins?
A: Microsoft Security Bulletins provide information and guidance on updates available to address software vulnerabilities in Microsoft's products. With each security bulletin that is released, there is an associated software update available for the affected product. Microsoft Security Advisories are meant to provide customers with detailed information and guidance on a variety of security related issues that may not be specifically tied to a software update. For instance, an advisory may detail updates provided for Microsoft software that might not address a security vulnerability in the software, but may introduce changes in the behavior of the products or new functionality designed to help protect customers from attack.
Q: Could a security advisory become a security bulletin?
A: In cases where we have issued a security advisory to provide guidance on a publicly disclosed vulnerability, once an update was developed to address that software vulnerability we may update the security advisory to reflect the availability of the security bulletin and point customers to that for more information.
Q: Will every security advisory become a security bulletin?
A: A security advisory may be updated to point to a security bulletin in cases where a security update has been released to address a vulnerability described in the security advisory.
Q. How long is this offering going to be available to customers?
A: Our goal is to issue security advisories as appropriate when customers may be impacted by security issues. The current pilot implementation is designed to gather feedback from customers on this new offering and incorporate feedback to make the advisories more useful for customers and does not have a set timeline.
Q. Are you going to release security advisories for general Internet security topics or only on Microsoft products?
A: We are currently evaluating the scope of the advisories, however the overarching goal is to provide information to our customers in a timely manner to help protect them from any security issue that might impact them. While Microsoft will not currently release security advisories on third party products, we may issue an advisory if a security incident or issue impacts customers that is not related to a specific Microsoft product.
Q. How often are you going to update the security advisories after they've been issued?
A: Security advisories may be updated any time we have new information that assists customers and helps protect them from security threats. During the early stages of a security update, it might go through several revisions as our investigation continues and additional guidance is provided. If a security advisory results in a security bulletin, the advisory may be updated to reflect the availability of the bulletin and its associated update.
Q. When can I expect workaround information?
A: We are committed to providing timely and authoritative guidance on security issues, detailed in our security advisories. As each investigation continues, workaround and mitigation information is detailed and tested by our engineering teams. This process must focus on quality, so that the workarounds or mitigations provided are tested and the impact of the changes can be documented. Once we have validated the workarounds and their impact, they may be added to the advisory, either prior to release or afterwards, depending on customer needs.
Q. Will customers be able to sign up for email or RSS notification about new security advisories?
A: The pilot offering is really an opportunity to gather feedback on the security advisories and therefore we will not immediately have an email or RSS notification available. As we continue to incorporate that feedback into this offering we will consider making this available.
Q. How much time after a public report can we expect to see an advisory?
A: Security advisories are designed to provide timely information to all Microsoft customers. To that end we may provide a security advisory within one business day of being notified of an issue that we believe is best communicated using an advisory.
Q: What languages will the security advisories be available in?
A: Security advisories may be available in all languages currently supported by the security bulletins. However, in order to quickly release the advisory, the localized version of the advisory may not be released at the same time as the English version.
Q. Are you going to release them for problems with security updates?
A: Caveats or problems with security updates will continue to be documented in the Microsoft Knowledge Base Article referenced in the appropriate security bulletin that provided the security updates.
Q: How will I know when new security advisories are available?
A: The pilot offering is an opportunity to gather feedback on the security advisories and therefore we will not immediately have an email or RSS notification available. As we continue to incorporate that feedback into this offering we will examine making these options available.
Q: Will the security advisories be rated for severity like security bulletins?
A: Security advisories in the pilot program will not be given a severity rating because there may be instances in which an advisory would be issued to advise of a situation that was perceived to be a security threat but is actually a hoax. In that instance, a severity rating would not be applicable because customers might not be at risk from a particular security threat.
Q: Why aren't you including information about the security advisories in the Advance Notification?
A: Our goal is to issue security advisories as appropriate when customers are impacted by security issues after being notified of an incident or issue. Therefore giving advance notice via the ANP may not necessarily be a possibility.
Q: How will customers know when there is a call to action for them associated with these security advisories?
A: There is a "Suggested Actions" section in each advisory to detail any action that users may need to take to help protect themselves.
For more information on this new offerings, customers can join the Technical Security Bulletin Webcast:
- Wednesday, May 11 2005, 11 AM - 12 PM PDT
If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant.
Microsoft PSS Security Team