This week’s announcement that Microsoft is changing how Advance Notification Service (ANS) distributes patch alerts to customers was met with some trepidation in the Microsoft community.
It’s a complicated issue. However, a narrow disclosure of software vulnerabilities to a vetted audience of non-hostile entities makes sense.
The evolution toward providing less and less details about vulnerabilities to the entire world has been going on for about the last 20 years. Many patched critical vulnerabilities available from Microsoft have preciously few public details revealing what was fixed and how.
There is valid motivation for this policy – namely the reality that many Microsoft customers are slow to patch vulnerabilities, and some never apply patches. The broad disclosure of software vulnerability alerts creates an unnecessary population of attackers who will take advantage of the divulged weaknesses, and exploit those who don’t apply patches in a timely and consistent manner.
At Lieberman Software we’re prompt and transparent with our customers about fixes within our products. But we too tend to obfuscate the details shared on our pubic web site, so as to not put our customers at risk.
Not every one of our customers update our software or apply patches promptly. So we find ourselves doing just as Microsoft has done: balancing public disclosure with the realities of putting our customers at risk unduly, just for the sake of transparency.
Neither our company nor Microsoft wants to create problems for our customers by excess disclosure.
What are your thoughts on Microsoft’s ANS announcement? Leave a comment below.
By Philip Lieberman, President and CEO, Lieberman Software
Mr. Lieberman is an astute entrepreneur able to perceive shortcomings in the cyber security market, and fill those gaps with innovative solutions. He developed the first products for the privileged identity management space, and continues to introduce new solutions for this burgeoning security field.