Microsoft Admits to Hiding Flaw Details
April 20, 2006 Leave a comment
While it's been suspected for some time now, Microsoft has publicly admitted that they silently fix some vulnerabilities with absolutely no disclosure at all. From the article:
“We want to make sure we don't give attackers any [additional] information that could be used against our customers. There is a balance between providing information to assess risk and giving out information that aids attackers,” Reavey said.
We all know that security through obscurity really doesn't offer any level of protection at all. Don't get me wrong, I'm all for responsible disclosure, but no disclosure at all is just not acceptable. The wrong people will expend the effort to reverse engineer the patches and figure things out. The people that suffer are the helpless Windows administrators. Microsoft has created an admin culture where only the patches that impact an environment are applied by most Windows admins. Part of this is a result of so many patches gone bad. But, if the security bulletin for a patch says it fixes one thing, but really also fixes 4 other things silently, you never know what you're vulnerable to. Now, I'd recommend installing all patches of course, but that's just not reality for most of the Windows world.
This brings up another topic though. A while back I posted about the year-end vulnerability summary that showed Linux/Unix had more vulnerabilities than Windows. So not only did the report include multiple counts for single apps and apps that are not even included in base distros on the Linux side, it also didn't count vulnerabilities that either Microsoft never fixed or ones that they silently fixed during other patches. The worst part of this is that Microsoft uses reports like this in their marketing. So, they don't ever fix some vulnerability, silently fix other and then claim that hey have less vulnerabilities. All in the name of “customer best interest”. Yikes.
Microsoft, MSFT, disclosure, security, Linux, Open Source