Does The Press Make Too Much Of Security Warnings?

"No news is good news" is a saying that Microsoft probably has pinned to its front door. It seems that not a day goes by that some security advisory firm or other announces that a new vulnerability has been found in a Microsoft product. Until recently, that is. In the last few weeks, Firefox and Mozilla have -- not surprisingly -- become the focus of attention as well.

To tell you the truth, whenever I read another article that lists the latest flaws in a piece of popular software, I'm of two minds. On the one hand, I'm very glad that, if there was a weakness that could be exploited by malware, it was discovered by an analyst -- and, by extension, the software manufacturer -- before somebody with unpleasant intentions made use of it. If the good guys get there first, the vulnerability will presumably be fixed, and we'll all be safer.

However, there is a niggling voice in the back of my head that speculates about how serious many of these flaws are -- and how much good is done by trumpeting their existence every time another one is discovered. Are we being given important information -- or just becoming part of a public relations war between Microsoft, its competitors, and a small cadre of analysts? (Of course, as soon as that voice makes itself heard, the first one starts to yell, "Are you nuts? Of course we want to know about any flaws in our software! How else can we make sure that the manufacturers will fix their mistakes?" Things can get very interesting inside my head.)

I'm also starting to wonder if, like the Department of Homeland Security, we shouldn't simply start offering colors as indicators of how many threats have been announced in any week, and how severe they were. For example, Yellow can mean a few minor back door cracks were caught and easily handled; Orange can mean that six unpatched vulnerabilities were found in Windows XP Service Pack 2; and Red could mean that Bill Gates was seen surreptitiously buying a Mac mini.

Anyway, here are some of the more recent announcements, in case you're keeping track:

Security Firm Finds More Firefox/ Mozilla Bugs

Mozilla, Firefox Open To Attack

Firefox Patch Fixes Vulnerabilities

Microsoft Patches 'Blue Screen Of Death' In Windows XP SP2

Follow Up
The ever-interesting Mitch Wagner, who, among his other roles, edits the Security Pipeline, has expanded on this subject by asking Are Security Vendors Playing The Press For Chumps? You should definitely check it out.