Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's Security Disclosures Come Under Fire

Posted by ryuzaki0 on from the full-and-we-mean-full dept.

Old Banana writes "Is Microsoft silently fixing security vulnerabilities and deliberately obfuscating details about patches in its monthly security bulletins? Matthew Murphy, a security researcher who has worked closely with the MSRC (Microsoft Security Response Center) in the past, is accusing the software maker of 'misleading' customers by not clearly spelling out exactly what is being patched in the MS06-015 bulletin released on April 11."

7 of 150 comments (clear)

  1. Patches by dotslashdot · · Score: 5, Funny

    How would you like a birth control patch that also doubles as a nicotine patch without your knowledge? Sure you can have sex without worrying about getting pregnant, but there would be no cigarette afterwards. What MS has done is taken away the cigarette from the consumer. My Windows sex machine can "interface" all night long without getting pregnant, but it can still get STDs and won't be smoking any more afterwards.

    1. Re:Patches by WilliamSChips · · Score: 5, Funny

      And I thought car analogies were bad...

      --
      Please, for the good of Humanity, vote Obama.
  2. For "users" it is fine... For biz - no. by NotQuiteReal · · Score: 5, Insightful
    For most folks, hey, it's all mumbo jumbo anyhow. Closed source, closed patches. "It's an update, Trust us, you want it." - OK, Click.

    For Business users, they might actually want to know what might break if they do the update - especially since many cannot be "un-done".

    --
    This issue is a bit more complicated than you think.
  3. Yes by WebHostingGuy · · Score: 5, Insightful

    This brings up the age old debate which I will not revive. However, my spin is that if you are patching a vulnerability you should disclose that. Otherwise the end user might not apply the patch. This very same situation happened with Cisco at Blackhat and ended up in the Courts and Cisco ended up with a public black-eye. Based upon the IT reaction to that I would venture the assumption that we want to know.

    --
    Quality Hosting e3 Servers
  4. Security by obscurity at its best by hweimer · · Score: 5, Insightful

    If you explain exactly what is being patched, then you give the hackers a pretty clear roadmap of what they need to do to exploit all of the unpatched systems, don't you?

    You do that already by providing a patch. The bad guys will simply look at the differences of the binaries and find out what has been patched. So instead of helping the good guys, Microsoft gives an information advantage to the bad guys.

    --
    OS Reviews: Free and Open Source Software
  5. Hidden DRM? by Clazzy · · Score: 5, Interesting

    Remember when there was an update to Windows Media Player that added those DRM module things and there was a big outcry? I may be acting a bit paranoid, but isn't it remotely possible that Microsoft could sneak in other restrictions like this without users ever knowing?

    --
    If we can hit that bull's-eye, the rest of the dominoes will fall like a house of cards... Checkmate.
  6. Here is the problem by IntelliAdmin · · Score: 5, Interesting

    The big problem when they do this is compatibility testing. I work at numerous companies where we need to read through each patch to see what they 'fix'. Now when Microsoft does this we will just have to guess what they might break in a legacy application deployed across the world.