Microsoft Security Advisories

Security advisories contain a top-level summary that details the reason for issuing the advisory, frequently asked questions and suggested actions. Once issued, advisories may be revised as required to reflect new information or guidance.

Microsoft is using this pilot opportunity to gain feedback about the security advisories and will use that feedback to determine how the advisories can be of the most value to customers. Our goal is to use that feedback to further determine how frequently customers need security advisories and in what instances they are most valuable.

Microsoft Security Bulletins provide information and guidance about updates that are available to address software vulnerabilities that may exist in Microsoft products. With each security bulletin that is released, there is an associated software update available for the affected product. Microsoft Security Advisories are meant to give customers detailed information and guidance on a variety of security-related issues that may not be specifically tied to a software update. For example, an advisory may detail Microsoft software updates that might not address a security vulnerability in the software, but that may introduce changes to the behavior of the product or that introduce new functionality designed to help protect customers from attack.

In cases where we have issued a security advisory to provide guidance on a publicly disclosed vulnerability, once an update was developed to address that software vulnerability we may update the security advisory to reflect the availability of the security bulletin and point customers to that security bulletin for more information.

No. A security advisory may be updated to point to a security bulletin in cases where a security update has been released to address a vulnerability described in the security advisory.

Yes. A Security Advisory RSS Feed is now available. To receive automatic e-mail notifications whenever a security advisory is issued or updated, subscribe to the Microsoft Security Notification Service: Comprehensive Edition.

Our goal is to issue security advisories as appropriate when customers may be affected by security issues. The current pilot implementation is designed to gather feedback from customers on this new offering and use that feedback to make the advisories more useful for customers and does not have a set timeline.

We are currently evaluating the scope of the advisories, however the overarching goal is to provide information to our customers in a timely manner to help protect them from any security issue that might impact them. While Microsoft will not currently release security advisories on third party products, we may issue an advisory if a security incident or issue impacts customers that is not related to a specific Microsoft product.

Security advisories may be updated any time we have new information that assists customers and helps protect them from security threats. During the early stages of a security update, a security advisory it might go through several revisions as our investigation continues and additional guidance is provided. If a security advisory results in a security bulletin, the advisory may be updated to reflect the availability of the bulletin and its associated security update.

We are committed to providing timely and authoritative guidance on security issues, detailed in our security advisories. As each investigation continues, workaround and mitigation information is detailed and tested by our engineering teams. This process must focus on quality, so that the workarounds or mitigations provided are tested and the impact of the changes can be documented. Once we have validated the workarounds and their impact, they may be added to the advisory, either before its release or afterward, depending on customer needs.

Yes. A Security Advisory RSS Feed is now available. To receive automatic e-mail notifications whenever a security advisory is issued or updated, subscribe to the Microsoft Security Notification Service: Comprehensive Edition.

Security advisories are designed to provide timely information to all Microsoft customers. To that end, we may provide a security advisory within one business day of being notified of an issue that we believe is best communicated using an advisory.

Caveats or problems with security updates will continue to be documented in the Microsoft Knowledge Base Article that is referenced in the security bulletin that provided the security updates.

Security advisories in the pilot program will not be given a severity rating because they may not address a security vulnerability of may be issued to advise of a situation that may be perceived as a security threat but is actually a hoax. If a security advisory is issued to provide guidance on a publicly-disclosed vulnerability, the subsequently-issued security bulletin will contain a severity rating for the vulnerability.

Our goal is to issue security advisories as appropriate when customers are affected by security issues after being notified of an incident or issue. Therefore giving advance notice via the ANP may not necessarily be a possibility.

There is a "Suggested Actions" section in each advisory to detail any action that users may have to take to help protect themselves.