• Chart: May 2005 Security Communications Summary

A new form of security warning, the security advisory, accompanied a security bulletin rated important for Windows and an updated free Malicious Software Removal Tool on Microsoft's May 2005 "Patch Tuesday." Customers will need to monitor the new security advisories, which resemble streamlined security bulletins, because they provide information on issues that can impact the overall security of computers. (For a summary of the bulletin and the advisories, see the chart "May 2005 Security Communications Summary".)

Security Advisories

Microsoft has created the new security advisories to notify customers in a timely manner and provide guidance about security issues it feels do not warrant a security bulletin.

Security bulletins provide information and guidance about software fixes or patches that address software vulnerabilities. Each released security bulletin has an associated software fix for the affected product and an associated severity rating.

Security advisories, in contrast, could address broader security issues not dealt with by bulletins, or provide guidance about public vulnerabilities for which Microsoft does not currently have an update. For example, Microsoft may use the advisory to announce changes in a feature of a product that works the way it was initially designed, but that Microsoft has updated to harden the product's overall security. Microsoft will also use security advisories to provide guidance and workarounds to mitigate vulnerabilities that become public before a fix is available. Security advisories might also advise of a perceived security threat that is actually a hoax. In cases where Microsoft provides guidance through a security advisory for a software vulnerability, that security advisory could evolve into a security bulletin, with an associated severity rating, when an update is released to address the issue.

Therefore, just because security advisories don't list an available fix or have a severity rating does not mean customers can ignore them. Those who do could be exposed to problems.

A typical security advisory will contain the following information:

Top-level summary. Why Microsoft is issuing the advisory, its status, and a pointer to the relevant Knowledge Base (KB) article.

Frequently asked questions. Background about the issue addressed by the advisory, and any underlying technologies. For example, one of the May advisories explains the concept of Simple Mail Transport Protocol (SMTP) tar pitting, the practice of artificially delaying server responses for certain SMTP communication patterns associated with spam.

Suggested actions. Recommendations to ensure the issue described in the advisory does not compromise security.

The first two advisories, issued as a pilot of the advisory process, address security improvements and updates for Windows Media Player, and the SMTP tar-pitting feature of Exchange Server. By calling the security advisory process a pilot, Microsoft can quickly adopt customer feedback that could ultimately change the role, timing, and format of advisories.

Although advisories will provide more security information to customers, they do come with a potential downside. Frequently, Microsoft executives use the number of security bulletins issued for a product, such as Windows Server 2003, to show how the security of the product is improving or to contrast the security of a Microsoft product with a competing product, such as open-source software. The Microsoft Security Response Center, which issues both the advisories and bulletins on behalf of Microsoft product teams, will have to be careful to ensure that product groups do not issue an advisory in place of a bulletin in an attempt to maintain a positive security metric.

May Updates

In May 2005, Microsoft released a single bulletin, which addresses an important vulnerability in the Web View feature of Windows Explorer. Exploiting the vulnerability requires a user to have enabled Web View, and an attacker to have convinced that user to preview a malicious file. If these conditions were met, and the user was logged on as administrator (the Windows default), the attacker could take control of the vulnerable computer.

Microsoft also updated its free Malicous Software Removal Tool to make it easier to use. The changed tool will notify users only if infections are found (when running automatically from Windows or Automatic Update). It will perform a full scan only if an initial quick scan finds malicious software. It will remove malware from legitimate files and send information about infections to Microsoft if the user approves.

The fifth monthly installment of the tool also adds the ability to detect Sdbot and Ispro/Delprot adware files.

Resources

Information about updates released in May 2005 can be found at www.microsoft.com/technet/security/current.aspx.

The new security advisories are described at www.microsoft.com/technet/security/advisory/default.mspx.

The latest version of the Malicous Software Removal Tool can be executed from www.microsoft.com/security/malwareremove/default.mspx.