Microsoft Advises That It Will Improve AdvisoriesMicrosoft Advises That It Will Improve Advisories

Microsoft, which says it's committed to increasing the security and availability of its applications and operating systems, said Tuesday that it will improve the way it notifies customers regarding "critical" security advisories.

In a memo to 350,000 customers, Steve Lipner, Microsoft's director of security assurance, said the company has received feedback from customers stating that its current security bulletins are often too technical and that many users "find them overly detailed and confusing." To help solve this, Microsoft is going to add a "less-technical end-user" security advisory in addition to its current TechNet technical advisories.

"The new end-user security bulletins will describe straightforward steps that customers can take to help keep their systems secure," Lipner wrote. By year's end, Microsoft also will create an End User Security Notification Service that will inform customers of security problems and provide a link to the correct security bulletin.

Microsoft says it's also changing how it prioritizes its bulletins and will limit the number of such advisories it deems critical. So far this year, Microsoft has issued more than 60 security advisories and related software patches. Roughly half of those had been ranked critical. With so many critical advisories, many experts say, companies had a difficult time deciding which alerts were truly critical to their systems.

Under the new system, Microsoft will save the "critical" ranking only for those security flaws that would enable an automated attack affecting thousands of systems, such as the Code Red and Nimda worms that plagued the Internet last year. Security flaws that would enable a hacker to individually comprise a system will now be deemed "important."