In order to stay relatively up-to-date with the changing IT security landscape, I subscribe to several notification services and RSS feeds. One recent addition is the Microsoft Security Advisory service. This pilot offering is designed to provide information outside of the normal Patch Tuesday communication loop. A great demonstration of this new service is the recent advisory regarding a new Internet Explorer vulnerability.
Last night around 7:30pm I received an e-mail from Microsoft containing this information. It seems that a new security hole in IE has been discovered and publicly announced. This last fact is important – and ties in nicely with the purpose of security advisories. Allow me to explain…
In a perfect world, security researchers find bugs, then report those bugs privately to the affected vendor (in our case, Microsoft). At this point, Microsoft attempts to validate that the report is actually a bug. If it is, they immediately go into triage mode and work on a fix. This fix is what you are used to seeing on Patch Tuesday. So, in this scenario, there is no public announcement of the vulnerability before Patch Tuesday.
Now – let’s jump over to the real world. Some security researchers don’t like to play by Microsoft’s rules. They would rather grab their 15 minutes of fame by publicly announcing the vulnerability before Microsoft has had a chance to provide a fix. This is exactly the case with the IE vulnerability mentioned in last night’s Security Advisory. Now Microsoft must rush out a fix since the exploit code is available for any script-kiddie to play with after school. This could result in a less-than-stellar patch due to inadequate time for testing, etc. Basically, in this scenario everyone loses.
I commend Microsoft on their efforts to improve communication about security issues. This hasn’t always been the case, but instead of beating them up over past mistakes – I’d rather focus on the positive steps they are taking now. And as for those limelight-stealing security researchers, well – that is a subject for another day.
Check out the full list of available security communications at the Microsoft Technical Security Notifications web site. Stay informed, and stay safe.