Watch CBS News
X-SciTech

Microsoft Tips The Big Boys

/ AP

Add CBS News on Google

Microsoft Corp. has quietly begun giving some of its largest customers early warning of security problems with its products.

Under the free program, some customers get three business days' notice of how many security fixes Microsoft plans to release in its regularly monthly bulletins, and what Microsoft products are affected. Customers also can learn how severe a threat the flaws pose before the general public gets that information.

While Microsoft said the effort is meant to help businesses plan better, critics complain the program is inherently exclusive because it's only been offered to certain customers.

Because most people don't know it exists, that puts many at a disadvantage, said John Pescatore, vice president for Internet security at research firm Gartner.

"This is safety-related defect information, and for it to be selectively given to some and not to others is a bad thing," Pescatore said.

Microsoft has spent the last couple of years trying to improve security in products such as its ubiquitous Windows operating system and popular Office business software.

On Tuesday, it publicly announced the latest of many flaws it deems critical, this one allowing an attacker to infiltrate other computers by persuading their owners to open a specialized graphics file. The early notice went out last Thursday.

Redmond-based Microsoft began testing the early-warning program last fall and expanded it in April. It has not been widely publicized, and Microsoft has been offering the service to some customers individually through sales representatives.

Amy Carroll, director of product management for Microsoft's security business and technology unit, said the program is geared toward very large companies, some of which had asked for such information so they could better prepare to deploy the patches.

But she said the program is open to anyone willing to sign an agreement promising to keep the information confidential.

About 3,500 customers are taking part.

Because the information is so general, Carroll said, it would not be enough to help a someone launch an attack before a patch was generally made public.

But Pescatore said there are circumstances where it could pose a security risk. For example, he said, an attacker might launch a pre-emptive strike after learning that Microsoft planned a software fix.

The fact that the program is subject to a confidentiality agreement means that it must have some potential value for attackers, Pescatore said.

The advance notification is only for Microsoft's regularly scheduled monthly patches, which are released on the second Tuesday of each month.

Carroll said Microsoft usually doesn't have the luxury of giving customers advance notice of emergency fixes released between those planned cycles.

© 2004 The Associated Press. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed.

View CBS News In
CBS News App Open
Chrome Safari Continue