Microsoft's Security Disclosures Come Under Fire

Old Banana writes "Is Microsoft silently fixing security vulnerabilities and deliberately obfuscating details about patches in its monthly security bulletins? Matthew Murphy, a security researcher who has worked closely with the MSRC (Microsoft Security Response Center) in the past, is accusing the software maker of 'misleading' customers by not clearly spelling out exactly what is being patched in the MS06-015 bulletin released on April 11."

For "users" it is fine... For biz - no.

[NotQuiteReal]

For most folks, hey, it's all mumbo jumbo anyhow. Closed source, closed patches. "It's an update, Trust us, you want it." - OK, Click.

For Business users, they might actually want to know what might break if they do the update - especially since many cannot be "un-done".

Yes

[WebHostingGuy]

This brings up the age old debate which I will not revive. However, my spin is that if you are patching a vulnerability you should disclose that. Otherwise the end user might not apply the patch. This very same situation happened with Cisco at Blackhat and ended up in the Courts and Cisco ended up with a public black-eye. Based upon the IT reaction to that I would venture the assumption that we want to know.

Security by obscurity at its best

[hweimer]

If you explain exactly what is being patched, then you give the hackers a pretty clear roadmap of what they need to do to exploit all of the unpatched systems, don't you?

You do that already by providing a patch. The bad guys will simply look at the differences of the binaries and find out what has been patched. So instead of helping the good guys, Microsoft gives an information advantage to the bad guys.