Welcome to p2pnet.net - The original daily p2p and digital news site. Always First!
REGISTER | LOGIN
Cool Stuff
MPAA News
Games / Consoles
News
Music
Movies
Reviews
Open Source
Mobiles
Advertising
Products
P2P
Off Topic
Freedom
Politics
Interviews
Security
DRM
Links
Kids and Kartels
Scroogle Search: 
Search
 
Web p2pnet   
   Search: 
Search
Torrent Site Tracker
    Sponsored by
Frostwire
 
p2pnet
 


mp3rocket
 
Add real-time p2pnet headlines to YOUR site ! Click here to download our newsfeed code

Microsoft’s ’silent’ security fixes

p2p news / p2pnet: Microsoft admits details of security problems are kept secret, but says it has good reason.

In an eWEEK interview, Mike Reavey, operations manager of the MSRC (Microsoft Security Response Center), says Bill and the Boyz, "want to make sure we don’t give attackers any [additional] information that could be used against our customers. There is a balance between providing information to assess risk and giving out information that aids attackers."

Apple takes the same view.

"For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred, and any necessary patches or releases are available," it says in a release on a Java security hole.

However, " silent fixes have a way of backfiring and hurting businesses that depend on information from the vendor to determine deployment time frames and the actual severity of the patched vulnerability," say critics quoted in the eWEEK story.

"According to eEye Digital Security, which sells host-based IPS (intrusion prevention system) technology, silent fixes from Microsoft are commonplace," it says.

"It is the skeleton in Microsoft’s closet," said Steve Manzuik, product manager of eEye’s security research team. "We routinely find them."

Manzuik said Microsoft has been silently fixing bugs as far back as 2004.

But, "Microsoft’s customers depend on that information to figure out how to respond to Patch Tuesday," he continues. "The reality is, system administrators will delay deploying a patch based on the details of the bulletin. When details aren’t included, he won’t install that patch. That is a big problem."

Moreover, "IT departments do not have the skill or resources to reverse-engineer every patch."

"They are simply left in the dark and may ignore a patch that is super-critical to their environment. Meanwhile, "the bad guy has spent the time to find out what was silently fixed," Manzuik adds in the eWEEK item, "arguing that Microsoft has a responsibility to make sure businesses are fully informed about software changes".

Also See:
eWEEKMicrosoft Patches: When Silence Isn’t Golden, April 19, 2006
security holeApple Java vulnerability, April 19, 2006

This entry was posted on Thursday, April 20th, 2006 at 9:14 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 2237 times

« previous Porn leads the digital way
Aston Martin Nokia 8800 next »

2 Responses to “Microsoft’s ’silent’ security fixes”

  1. Reader's Write Says:
    April 20th, 2006 at 4:03 pm

    Mulligan’s corollary to Murphy’s Law:

    “There’s never enough time to do it correctly in the first place, but there’s always time to do it over.”

  2. Reader's Write Says:
    April 21st, 2006 at 12:16 pm

    Silent fixes also let Microsoft deflate their bug and security vulnerability numbers.

Leave a Reply

ONLY items referencing the post at hand, please. No links to personal sites, no personal attacks, trolling, freebie advertising, or off-topic posts. Thanks. And Cheers!

    Sponsored by
tek savvy