Microsoft's Security Disclosures Come Under Fire

Old Banana writes "Is Microsoft silently fixing security vulnerabilities and deliberately obfuscating details about patches in its monthly security bulletins? Matthew Murphy, a security researcher who has worked closely with the MSRC (Microsoft Security Response Center) in the past, is accusing the software maker of 'misleading' customers by not clearly spelling out exactly what is being patched in the MS06-015 bulletin released on April 11."

Not such a big shock

[Stephen+Samuel]

My question wasn't if MS was going to get nailed for doing something like this, it was when.

The main reason for implementing the monthly patch cycle (AFAICT) was PR. A bad week with 3 critical patches could really kill a sales rep's story that MS 'professional programmers' was the way to go if you wanted a secure system. It was only a matter of time until some PR hack realized that things could look even better if you didn't bother to document every security hole that a monthly patch fixed.

The upside for the user end (most often touted) of the monthly patch cycle is that a company doesn't sometimes need a full time crew just to go through the sometimes daily critical patches to see if/and what they break. The two downsides are that you don't always know what the monthly patches fix, and a well timed zero-day patch can mean that the black hats have up to a month to stomp on your system before the official fix comes out.

Microsoft also lies in its Knowlegebase Articles

[Master+of+Transhuman]

Last year when I had my problem with Windows 2000 hosing my system's partition table because installing it with Service Pack 3 on, THEN installing Service Pack 4 was insufficient to prevent it from hosing the partition table on a big disk when the outer portions of the disk eventually ended up being used, I finally dug up a Microsoft Knowledgebase article that admitted that "some disks" geometry wouldn't be read correctly in that situation.

Nowhere did Microsoft identify WHAT disks, WHY, or HOW. It was a "throwaway line" like that referenced in the present article. Microsoft was happy to say that LBA48 was supported by Windows 2000 Service Pack 4, but NOT that if you installed it first WITHOUT Service Pack 4 and then installed SP4, that Windows 2000 would silently wait until you actually tried to use the larger partitions before trashing your hard drive.

Re:Of course it is... all your responsibility...

[Grand+Facade]

I'm certain MS's EULA absolves them of any responsibility or liability for what happens to your machine or your data.....

Re:Flame on!

[10101001+10101001]

When someone comes to me with a computer (or other) problem, I ask them 1. what they think is wrong and 2. what did they do to try and solve it. My problem is that he didn't even make a token effort at step 2. He stopped at step 1 (I don't know what this patch is doing) and then went complaining.

The reason he's complaining is because each patch report is supposed to cover a patch that fixes a specific problem, linked to with the bug report. His complaint isn't with the patch. It's with the report about the patch seeming to cover two, or possibly three, different bugs, of which only one is listed in the bug report. Having said that, he can't do a damn thing to fix the report; he can tell MS or the media that their patch/bug report pairing seems to be inconsistent. Given that he has a history of providing information to MS and other security bug tracking companies while waiting quite a while (it mentions sitting on a bug for 6 months without making it public) to report to the public, I'd make the assumption that he's commented in some way to MS about what he sees as a discrepency before speaking to the public, so he's probably engaged in step 2. Of course he might not have, but then reporting to the media a problem he sees is *also* a way towards step 2, though some would see it as less ethical (and are probably in the same camp that is against reporting security vulnerabilities to the public, as it seems unfairly harmful to the company and/or its users).

So, regardless of whether the patch actually is only for the bug listed in the bug report, the patch report is wrong.