At the COMDEX Fall 2002 trade show in Las Vegas yesterday, Microsoft announced three important changes to the way the company communicates security fixes to its customers. The changes come less than a year after the company rallied around its Trustworthy Computing initiative, under which Microsoft is redesigning its products for better security. According to the company, the changes are the result of customer feedback.
"We're clarifying how we communicate security to customers," Mike Nash, vice president of Microsoft's Security Business Unit, told me in a briefing yesterday. "We had three main areas of feedback. First, the overall severity rating in our security bulletins was hard to understand, especially for individual users. Second, customers told us that our detailed technical bulletins were good for IT, but they scare individuals and are hard to understand. And third, customers appreciate our security alert email service, but \[the email bulletins\] often discuss products that customers don't care about."
To address these problems, Microsoft has changed its security-vulnerability rating system from the previous three levels to four: low, moderate, important, and critical. The new important level will describe many vulnerabilities previously classified as critical, and the critical rating will now be reserved for wormlike viruses and other more virulent problems. In addition, Microsoft will issue modified security bulletins for products that individuals use; the consumer-friendly version will contain simplified language and will be less technical than the standard bulletin, Nash said. Finally, Microsoft will begin a security email notification service for consumers that will contain only information about consumer-oriented products.