The problem that Microsoft now face is twofold.

The first is that admitting responsibility will inevitably open them up to litigation. How long would it take for an organisation once attacked to try to seek some kind of compensation from MS? Once they have admitted responsibility the floodgates are open. We have already seen the insurance premiums for IIS rise after code red. This is just the most recent dodge of responsibility from Microsoft. In recent times they have pointed the finger not only at the security community but also at system administrators that were having trouble keeping up with the plethora of security patches issued by Microsoft.

The second issue is that Microsoft needs to find a way to continue to grow. They currently have approx 95% of the desktop market and a good percentage of the server market. There will come a time soon when they will not be able to grow their market base. The answer for them is .NET and software by subscription. This initiative will die before it has begun if they can't get Microsoft security issues out of the headlines.

There is only one thing that forces Microsoft to act, $$$. In the past they could afford to be lax on the security front as there was no real financial reason not to. Now with recent criticism from Gartner and the latest Netcraft survey showing a substantial drop in IIS servers connected to the net Microsoft has to act. Their new security program was a step in the right direction. Anything that makes administration easier (at no cost) has to be a good thing. However, full disclosure is critical if we as security administrators/designers are to have any chance of being effective. We need access to as many tools and as much information as is available to the attackers.

It is important to recognise that Microsoft is a marketing company that occasionally produces some software. Security information will become available through TechNet and MSDN subscriptions and therefore become just another MS product to be marketed and sold.

I don't see how this approach from Microsoft will be effective. They are not competing with a rival organisation or product. Information disclosure is not something that can be bought. As already mentioned by several people, the groups signing up for this agreement have a commercial interest in keeping information secret. They are all security "companies" and as such are not in my opinion representatives of the security "community". The security community is made up of individuals that believe open sharing of information will benefit us all. If the current methods of disclosure are closed to us others will take their place.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/281/8743#8743