While Microsoft informs administrators and end-users how many patches it plans to deliver and which platforms they affect, many security pros are left guessing just how significant the load will be.
The new advance notifications (ANS), scheduled to debut 7 June, will contain maximum severity rating, vulnerability impact, detection information and affected software for each bulletin. They will not be grouped by platform.
"We’ve received positive feedback on the ANS, but customers have told us additional information would be even more helpful," Mark Miller of the Microsoft Security Response Center said Wednesday on the team's blog.
Johannes Ullrich, CTO of the SANS Internet Storm Center, told SCMagazine.com that the changes will help organisations determine which fixes are most pressing.
"A lot of people use different patch schedules for ‘critical’ versus ‘important," he said. "Last week, they had five patches that were all [maximum severity rating of] critical. But you didn’t really know how many of the individual bulletins were critical."
Eric Schultze, chief security architect at Shavlik Technologies, told SCMagazine.com that the more detailed pre-release announcements will not give away any information that may help hackers prepare an attack.
"Overall, it will be an aid to system administrators," he said.
Still, despite the additional information, organisations will not know the full extent of what awaits them until the patches are officially delivered, Ullrich said.
"What people are looking for is how much work it will take to apply these patches, and that’s always hard to predict until you see them," he said.
Microsoft also announced a planned security bulletin redesign that seeks to move pertinent information to the top of the advisory, eliminate repetitive content and compile the affected products in a table instead of a list.
Microsoft to offer more security details in advance
By Dan Kaplan on May 18, 2007 10:18AM