• Chart: Severity Level Changes

Two recent announcements highlight Microsoft’s continued focus on security. Microsoft is telling customers that to stay secure, for example, to have the latest Microsoft security patches and fixes and benefit from the security code review of Windows, they should stay current; and Microsoft is also attempting to improve its vulnerability reporting. The announcements demonstrate Microsoft's continued drive to appeal to enterprises that are increasingly concerned about security, but the requirement to "stay current" will lead to higher costs.

Stay Secure, Stay Current

Speaking as part of Microsoft’s Silicon Valley Speakers Series, Craig Mundie, chief technology officer for advanced strategies and policy, said that more users run Windows 95 and 98 than the newer versions of Windows, such as Windows 2000 and XP. Mundie used this fact to outline two trade-offs that are necessary to address the latest security challenges.

The first trade-off involves application compatibility. Mundie reiterated that Microsoft will forsake the ability for newer operating systems (OSs) to run older applications to ensure that Windows is more secure. Previously, Microsoft would err on the side of making legacy applications work even if it reduced the overall security and reliability of Windows.

The second trade-off involves the need for customers to upgrade to the latest version of Windows. Although Mundie acknowledged that computers with older versions of Windows can be insulated behind firewalls or kept off the Internet, he suggested that companies should upgrade them regularly with new computers or software with "intrinsically" better security capabilities. He recommended that customers consider security a critical feature and upgrade to newer versions of Windows that Microsoft says are more secure, even if older versions are meeting customer's current needs.

Mundie’s "to get secure, get current" message reinforces the security patch availability information in Microsoft’s new support life-cycle policy. (See "New Support Life-Cycle Policy" on page 23 of the Nov. 2002 Update.) As defined in this policy, security patches will be available through the extended support phase, which begins six years after an operating system has been released. Customers should anticipate that while hotfixes for all versions will be made available almost simultaneously, service packs will likely be released first for the newest OS (i.e., Windows XP) and then for the older supported releases.

New Alert Rating System

The Microsoft Security Response Center (MSRC) is changing the way it alerts customers about vulnerabilities. The MSRC, which is responsible for issuing information about vulnerabilities in Microsoft’s products and ensuring that the appropriate patches are released, will begin to issue less technical end-user security bulletins to supplement the technical security bulletins it already releases for corporate customers and developers. Both bulletins will be available at Microsoft's security Web site. The MSRC will also create an End User Security Notification Service to notify users of security issues in consumer and other nonbusiness products and provide a link to the appropriate security bulletins.

The MSRC has also changed the way it rates the severity of vulnerabilities in an effort to make clearer how a vulnerability could impact a user and how important it is for the user to apply any patch or implement any workaround. (For more details on the new severity ratings, see the chart "Severity Level Changes".) According to the MSRC, customers should read the security bulletins for all products that they use and apply patches that address vulnerabilities which Microsoft rates as "critical" or "important." For vulnerabilities rated "moderate" or "low," the customer should determine whether the vulnerability is likely to affect their particular configuration before applying any patches.

Resources

More information about the revised vulnerability ratings is at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/policy/rating.asp.

Customers can register for security notifications at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/notify.asp.