Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's Security Disclosures Come Under Fire

Posted by ryuzaki0 on from the full-and-we-mean-full dept.

Old Banana writes "Is Microsoft silently fixing security vulnerabilities and deliberately obfuscating details about patches in its monthly security bulletins? Matthew Murphy, a security researcher who has worked closely with the MSRC (Microsoft Security Response Center) in the past, is accusing the software maker of 'misleading' customers by not clearly spelling out exactly what is being patched in the MS06-015 bulletin released on April 11."

6 of 150 comments (clear)

  1. For "users" it is fine... For biz - no. by NotQuiteReal · · Score: 5, Insightful
    For most folks, hey, it's all mumbo jumbo anyhow. Closed source, closed patches. "It's an update, Trust us, you want it." - OK, Click.

    For Business users, they might actually want to know what might break if they do the update - especially since many cannot be "un-done".

    --
    This issue is a bit more complicated than you think.
  2. Yes by WebHostingGuy · · Score: 5, Insightful

    This brings up the age old debate which I will not revive. However, my spin is that if you are patching a vulnerability you should disclose that. Otherwise the end user might not apply the patch. This very same situation happened with Cisco at Blackhat and ended up in the Courts and Cisco ended up with a public black-eye. Based upon the IT reaction to that I would venture the assumption that we want to know.

    --
    Quality Hosting e3 Servers
  3. Security by obscurity at its best by hweimer · · Score: 5, Insightful

    If you explain exactly what is being patched, then you give the hackers a pretty clear roadmap of what they need to do to exploit all of the unpatched systems, don't you?

    You do that already by providing a patch. The bad guys will simply look at the differences of the binaries and find out what has been patched. So instead of helping the good guys, Microsoft gives an information advantage to the bad guys.

    --
    OS Reviews: Free and Open Source Software
  4. Re:Corporate responsibility? by walt-sjc · · Score: 4, Insightful

    I would think that corporate "Software Assurance" customers who are paying for continual updates and support, and have to support MANY legacy applications that may be affected by such flaws or patches would be (and ARE) demanding such notifications. Joe Bob Home User does't really care, but Fortune 100 Fred in IT sure does, especially when his job (which is to keep the companies infrastructure up and running) is on the line.

  5. Microsoft patching without consent? Maybe by NullProg · · Score: 4, Insightful

    How to find out? MD5 sum your /windows folder including the sub-directories (don't forget the hidden ones) before the patch. MD5 Sum again after the patch and compare the results. bdiff the questionable file differences and dis-assemble. At least thats what I used to do as a prior legitimate Windows license(s) owner (but before being called a thief by Microsoft).

    Like I said earlier today, you either own a Microsoft appliance or a personal computer, these days you can't have both. Switch to something else or stay with Windows.

    Enjoy,

    --
    It's just the normal noises in here.
  6. Remember, boys and girls. by khasim · · Score: 4, Insightful

    The bad guys don't need to spend time with compatibility or regression testing for their software.

    They can download the patch the day it is released and have an exploit ready that same day. You'll still be meeting to discuss the test plan for your servers.

    Attempting to hide information doesn't help anyone except the vendor and the bad guys.

    At least if you have the information, you can determine your own level of exposure and decide what mitigating actions you want to take based upon your environment.