From now on, Redmond has declared, security notifications will be publicly available on its Web site three business days ahead of Patch Tuesday, which is the second Tuesday of each month.
Microsoft said the move is designed to help IT organizations better plan for patch deployments. The security summaries will give a general description of the vulnerabilities
that will be patched, but details will be withheld to prevent bad guys from using the early notice as a head start on exploits.
Some may wonder what the point of this is. Why not just issue the patches when they are ready? Well, that's the way Microsoft used to do it, and all it did was create chaos, and force people to be reactionary. It's hard to get anything done when you constantly have to drop what you are doing to deal with the latest patch. As much as administrators have come to dread Patch Tuesday, at least they have a schedule to work with. And now the early notification program will give them more time to be proactive.
It's also something of a "make good" on the part of Microsoft. In September, the company acknowledged that "premier" customers had been getting an early warning of security bulletins since November 2003. Earlier this year, the notification program was expanded to those willing to sign nondisclosure agreements. Now the playing field is truly level.
For those curious about what's coming this month, the word is out on TechNet: On Tuesday, Microsoft plans to release an "important" patch for a vulnerability that affects Internet Security and Acceleration Server.
Elsewhere in the news
Redmond has wrapped up an 18-month project to revamp its online customer support program. Microsoft's support center now offers both filtered and weighted searches on products and topics. Kurt Samuelson, general manager of Microsoft's global support automation program, said the changes will also allow customers to more easily organize and manage the information they collect from the company's knowledge base. … Recently, an e-mail memo to customers signed by Steve Ballmer hit on some of the chief executive's favorite themes: security initiatives and Microsoft's total cost of ownership compared to rival Linux. While the memo appeared to offer little in the way of new information, it did catch the eye of one intellectual property lawyer -- quoted by ZDNet UK -- who marveled that Ballmer appeared to be promising his customers "uncapped" (read: unlimited) protection from intellectual property lawsuits. … This month, Microsoft is expected to release two new feature packs for Systems Management Server 2003. One targets operating system deployments and the other allows SMS 2003 to manage Windows-based mobile devices. … The most recent vulnerability discovered in Internet Explorer has raised an interesting debate about the malicious practice of spoofing URLs. Microsoft argues that while spoofing is a troublesome extension of social engineering, it is not a true security risk because users have to be enticed to make several decisions to put themselves in harm's way. In a related matter, Openwares.org, an open source software development group, offers a free patch for the IE spoofing flaw on its site. … Hoping to capitalize on the latest news about Internet Explorer is the Mozilla Foundation. Online data compiler WebSideStory reports that the group's Firefox open source browser now has 6% of the market, compared to 3.5% in June. IE held about 96% of the market in June and now stands at just under 93%. Firefox should have been called Phoenix, because it has risen from the ashes of the code that once was Netscape. Maybe the name was already taken.