Microsoft sometimes falls short in the area of security notifications

Did you read the NTBugtraq mailing list last week? If not, you missed some good points that list moderator Russ Cooper made. Cooper points out that Microsoft sometimes falls short in the area of security notifications, as I'm sure many of you will agree. Cooper said, for example, that Microsoft doesn't adequately notify its customers about the release of new service packs, security rollup packages, and security updates for specific products, such as the Outlook Email Security Update. In addition, the company doesn't directly notify customers when it releases new security tools, such as Microsoft Baseline Security Analyzer (MBSA), HFNetChk, and URLScan for Microsoft IIS.

Without such notification, customers remain unaware of new security-related tools and patch packages—at least until word gets out through security-related mailing lists or until members of the press learn about the tools and packages and publish articles that notify readers. The lack of notification also makes Microsoft customers do extra work. Cooper notes, for example, that installing Microsoft's security rollup packages often eliminates the need to install numerous individual patches because the rollup packages contain all the patches released to date. In addition, security rollup packages might contain additional patches not related to a specific Microsoft security bulletin.

Cooper didn't but could have included security-related TechNet articles among the examples that support his point. Sometimes, Microsoft releases security information exclusively in TechNet articles but doesn't notify customers about the articles. The recent Microsoft article "Denial of Service Attack on Port 445 May Cause Excessive CPU Use," which outlines registry tweaks that help prevent Denial of Service (DoS) attacks, is a case in point. Microsoft released the article in mid-April to help administrators, but didn't notify customers about it. Instead, customers found out through mailing lists and news reports. We published a related news story ("Microsoft Article Q320751: Denial of Service Workarounds") in last week's Security UPDATE.

If you read that news story and clicked the embedded link to the Microsoft article, you know that the article was on the TechNet Web site at the time of publication. However, when I looked for the article Monday, someone had removed it from the TechNet Web site. What's going on? I don't know because Microsoft doesn't publish any information in such instances—so it's a case of now you see it, now you don't!

Microsoft apparently has at least two approaches to security-related notifications: one approach for issued security bulletins and another for other security-related matters. Cooper believes that in addition to security-related hotfixes, Microsoft should issue a security bulletin every time the company releases a security-related patch or tool. That's a good idea, but perhaps publishing all security-related information in security bulletins might not be the best way to handle such user notification.

Alternatively, Microsoft could establish a second security-related mailing list to notify users about non-bulletin security matters, such as the release of new service packs, the publication or withdrawal of pertinent TechNet articles, and the release or update of new security-related tools such as MBSA and URLScan. Developing an additional user-notification method—whether that involves new bulletins or a second mailing list—would certainly benefit Microsoft's "Get Secure and Stay Secure" initiative. As matters stand now, users must rely on third parties for important security information.

What do you think? Would you benefit from Microsoft notifying you about additional security-related information and resources? If you believe you would benefit, would you prefer to be notified through a security bulletin or through a new Microsoft security mailing list? Please stop by the Security Administrator home page and respond to our new Instant Poll. I also welcome email messages with your further thoughts about security-related notification (mark@ntsecurity.net). I look forward to your responses.