In last week's edition of the newsletter we included a news story, "Critical Update for Windows Firewall Flies Under the Radar," that discusses a critical update for Microsoft's Windows Firewall. The critical update was released to the company's Automatic Update, Windows Update, and Download Center 1 day prior to the company's regular monthly release of security bulletins.
http://www.windowsitpro.com/Article/ArticleID/44834/44834.html
Soon after the publication of the news story, a Microsoft spokesperson contacted Windows IT Pro Magazine to clarify why the critical Windows Firewall update wasn't included in the monthly bulletin release. Apparently, the update fell through some cracks in the company's policies and procedures.
Microsoft said that the update was developed and released by the Windows team and not the security team and the Windows team didn't communicate with the security team as well as it could have. Microsoft said that because it wasn't as transparent about the update as it could have been, "we gave the impression that we were trying to slip something in, which was not our intent."
Whether this incident leads to a change in the type of content that will be included in the company's monthly security bulletins, I don't know. In any event, Microsoft is working to update its update release procedures and communication among its teams.
A few expressed their concern that such a critical update wasn't included as a security bulletin. You might think that security bulletins would include all security issues regardless of why such an issue exists. Microsoft said that the update didn't meet the bar for monthly bulletin releases because it doesn't address a "code vulnerability"--rather, it represents a change to the underlying behavior of the firewall. Apparently "code vulnerability" means a coding error or bug rather than bad behavior.
I think most of you will agree that the company could improve its security issue notification process by somehow using it to inform people of all security-related issues regardless of why the issues exist. Microsoft has done a great job so far in improving the security of its software and in communicating with the public about security matters. Even so, there's still room for more improvement--as we've seen with this matter of a critical Windows Firewall update--and I expect Microsoft will take the opportunity to continue with its steady stream of security-related improvements.
What do you think about this matter? Let us know by answering the poll listed in this edition of the newsletter.
Until next time have a great week.
