Re: Microsoft criticized for silent patches

This is very unclear to me. I would need more information to have an

You have left out Microsoft's comments, so your argument is one sided. Here
they are - at least as according to the article you give.

"As is our normal practice for security bulletins, we document the existence
of any additional defense in depth product behavioral changes, as well as
the area of functionality where the change occurred so that customers can
assess the impact to their environments," Mike Reavey, security program
manager for Microsoft, wrote Saturday on the Microsoft Security Response
Center (MSRC) blog. "However, providing more detail on internal product
changes could serve to aid attackers."

If the two issues are related, that does not mean they are the same issue or
that the fix is the same. In order to know that, you would need internal
product information that Microsoft is right to withhold. So, there is a
possibility (I believe a strong one) that they are not the same issue and
therefore the second issue was in fact it was not reported 700 days ago.

So, the only proven point I see so far is that Microsoft is fixing security
issues. And that isn't a bad thing.


"Michael D. Ober" <> wrote in message

And your point is???

MS fixed the problem - finally. It is somewhat disconcerting that the
original flaw was reported over two years before it was fixed. You are
quibbling about the wording of the bulletin when you should be blasting MS
for taking two years to fix the problem.

Mike Ober.

"Imhotep" <imhotep@xxxxxxxxxx> wrote in message
"The criticism focused on a two issues in Microsoft's security bulletin
documenting the changes to Windows systems by a patch released last
Tuesday. The advisory stated that the vulnerability being fixed was
privately reported but that a "variation" of the flaw had been publicly
disclosed in May 2004. Microsoft should have stated that the original
vulnerability--more than 700 days old--had been fixed as well as a more
recent, privately disclosed flaw, vulnerability researcher Matthew Murphy
stated in a blog post."

"The information as published is extremely misleading and Microsoft's
not to document a publicly-reported vulnerability is not one that will be
for the benefit of its customers' security," wrote Murphy. The security
researcher, a student in the information systems program at Missouri
University, is currently working with Metasploit founder HD Moore to find
flaws in Internet Explorer and other browsers using data fuzzing



Relevant Pages

  • Re: Please help with pop-ups!!
    ... Sometimes I'm not on the internet ... A1) No. Microsoft NEVER sends emails with security update attachments. ... pages where you can access Windows Update, download patches, or request ...
  • Microsoft Releases Security Update
    ... Microsoft Releases Security Update ... interim security update Friday to protect users of its ... attacks to cripple the Internet. ...
  • RE: ConnectComputer - Permission Denied
    ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... >> This issue is probably a security problem that the ConnectComputer ... In IE, go to Tools, Internet Options, Security. ...
  • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
    ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
  • Re: Microsoft Browser Under Scrutiny
    ... I already know this, I subscribe to Microsoft Security Updates, and I have ... especially Outlook and Internet Explorer. ... > ubiquitous Internet Explorer browser. ...