In the past year, the Redmond, Wash.-based company quietly changed its procedure for releasing security bulletins and software patches for security vulnerabilities in its products, creating a carefully orchestrated process that predictably releases bulletins and patches to the public on Wednesdays, according to senior Microsoft security personnel.
The company never formally announced the change in procedure, which went into effect around May of 2002, nor is the policy mentioned on Microsoft"s Web site or articulated in any document released by the company, according to Steve Lipner, director of security assurance at Microsoft.
Nevertheless, the policy has had a noticeable effect on how and when Microsoft releases product vulnerability information.
For example, in February 2002, before the change in procedure, Microsoft released eleven bulletins, MS02-002 through MS02-012, on seven separate days.
By comparison, in July the company released seven vulnerability notices, MS02-034 through MS02-040 on just three Wednesdays, July 10, 24, and 31. Four of those, MS02-036, 037, 038, and 039 were released on the July 24 alone.