Yesterday, Microsoft issued four security alerts that extend a strategy adopted about a year ago that I assume is designed to diminish the apparent number of vulnerabilities. Microsoft started consolidating related, multiple security vulnerabilities into single bulletins, rather than issuing separate warnings.
The four new alerts--three of which rank highest rating of "critical"--consolidate a hefty number of vulnerabilities into a much smaller number of alerts. Critical alert MS04-011 covers 11 separate vulnerabilities, while MS04-012 adds another four. That works out to 15 separate vulnerabilities, but only two alerts issued.
I view the consolidation tactic as part of what I call Microsoft's "security by PR," meaning public relations, strategy. Certainly, Microsoft should be commended for warning customers of vulnerabilities and issuing the appropriate patches. But, I don't think customers' best interests, or even Microsoft's, are served by apparently diminishing the overall security problem.
Right now, Microsoft is conducting a road show that is bringing major executives out to talk straight about security. If customers are going to trust in Microsoft security, they may want to feel they can trust what Microsoft tells them about security. I understand that issuing 17 alerts, as opposed to four, makes it harder for Microsoft executive to count up the number of alerts as use the counting and evidence security is improving. I would recommend an approach of winning real trust, which starts by being as upfront as possible to the extent of any problems.[via Microsoft Monitor]