Cyber Security Institute
§ Current Worries
Top 3 Worries
- Regulations
- Old Firewall Configurations
- Security Awareness
§ Listening
For the best information
- The underground
- Audible
- Executive Excellence
- Music (to keep me sane)
§ Watching
For early warnings
- 150 Security Websites
- AP Newsfeeds
- Vendors
Monday, April 17, 2006
Microsoft criticized for silent patches
Some security researchers took issue last week with little-documented changes made by Microsoft to Windows in the last batch of security updates, but the software giant responded in a blog posting on Saturday that sometimes less information means better security. The advisory stated that the vulnerability being fixed was privately reported but that a “variation” of the flaw had been publicly disclosed in May 2004. Microsoft should have stated that the original vulnerability—more than 700 days old—had been fixed as well as a more recent, privately disclosed flaw, vulnerability researcher Matthew Murphy stated in a blog post.
The security researcher, a student in the information systems program at Missouri State University, is currently working with Metasploit founder HD Moore to find flaws in Internet Explorer and other browsers using data fuzzing techniques. Murphy and others also took issue with the lack of details about Microsoft’s other security enhancements, including defense-in-depth changes and changes to how ActiveX controls are run.