Microsoft worms its way off bug list

Microsoft has told Security Focus, the US security company that manages the Bugtraq moderated security email list, that it can no longer publish the software giant's security alerts.

The issue centres around Microsoft's recently redesigned security email alerts, which it distributes to registered subscribers and third-party security mailing lists.

The redesigned bulletins give only the barest details about new vulnerabilities and instead direct users to a page on Microsoft's website for the full text.

Under the original email format, which included full text, Bugtraq was able to redistribute the alerts because Microsoft had sent them to Bugtraq. But in response to a Microsoft vulnerability email alert issued in the new format earlier this week, Bugtraq moderator Elias Levy republished the full text, which he downloaded from Microsoft's website.

This solicited an angry response from Microsoft, which told Levy that he did not have permission to redistribute the text, and that doing so would be considered an act of copyright violation.

Ryan Russell, management information systems manager at Security Focus, said Levy decided not to approve alerts that do not provide full text, and downloaded the information from Microsoft's website so that Bugtraq readers would get additional details.

"Microsoft's new format is not as useful as the old format. You've got to launch a new browser to see the full text and it seems to work better when viewed on Internet Explorer than Netscape," said Russell.

Other Bugtraq recipients have complained that the new format points users to one point of failure, and warned that emails addresses can be spoofed with links provided to a malicious site.

Russell said Bugtraq would return to redistributing Microsoft alerts if the software giant goes back to the old format.

Microsoft failed to comment.