Microsoft to Limit ‘Critical’ Security Warnings

As it continues to battle the PR nightmare over software security, Microsoft plans to change the way vulnerability warnings are issued, particularly for non-technical end-users.

A less technical alerting system has been added to the one used to alert tech professionals, Microsoft director of security assurance Steve Lipner said in an e-mail.

“In addition, before year’s end, we will create a new End User Security Notification Service that will notify customers of security issues in end-user-oriented products and provide a link to the appropriate end-user security bulletin,” Lipner added.

He said the move to rejigger the way security alerts are issued was necessary because end-users were finding the existing system “overly detailed and confusing.”

Now, the plan is to issue separate alerts meaning that subscribers to Microsoft’s Security Notification Service would receive bulletins “that are of interest only to developers or system administrators,” Lipner added.

The Redmond-based software giant also plans to limit the “critical” rating on security alerts to customers because of fears that too many high-level alerts were being issued.

Instead of issuing a “critical” rating on vulnerability warnings, Microsoft has modified its Severity Rating Criteria to specify clearly which bugs needed to be addressed immediately.

“There is also a widespread feeling that the Severity Ratings are difficult to understand and apply. For these reasons, we have modified (the criteria) to help customers more easily evaluate the impact of security issues,” Lipner explained.

So far this year, almost half of Microsoft’s 64 vulnerability alerts were tagged with the ‘critical’ rating and security experts have warned about a potential “cry wolf” situation if too many insignificant patches came with the highest-level rating.