Microsoft Admits to Hiding Flaw Details

Spongeform writes "eWeek has an interview with a Microsoft security official admitting to hiding details on software vulnerabilities that are discovered internally. The reason? Microsoft believes that full disclosure of every security-related product change only serves to aid attackers. However, companies using host-based IPS that rely on flaw information to build signatures are basically left at risk because of Microsoft's silent fixes."

scandal!

[celardore]

Doesn't SLASH have a similar policy?

For security-related bugs, please email security@slashcode.com . We will adhere to the RFPolicy and request that you do too; please keep security issues private until all sites running Slash have a chance to apply fixes. Thanks.

Re:So that's why Microsoft has such a low vulnerab

[slashdotnickname]

The attackers are already reverse-engineering the patches. They have the time and resources to find out where the flaw lies. The guy that feels the pain is the system administrator who is in the dark and who can't do his own reverse-engineering.

That would be an insightful comment... in fantasy land. Most Windows system administrators are not programmers, and of those that are fewer still are technically skilled enough to reverse engineer a binary patch. Microsoft has a valid point when they say that publishing vulnerabilities mainly helps out 'bad guys' because the majority of their 'good guy' users don't have the skills to counterattack. It's not like the open-source world, where there's a large community of skilled programmers ready and willing to publish fixes... and, more importantly, outnumber skill-wise any malicious programmers.