Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, April 17, 2006

Microsoft criticized for silent patches

Some security researchers took issue last week with little-documented changes made by Microsoft to Windows in the last batch of security updates, but the software giant responded in a blog posting on Saturday that sometimes less information means better security.  The advisory stated that the vulnerability being fixed was privately reported but that a “variation” of the flaw had been publicly disclosed in May 2004.  Microsoft should have stated that the original vulnerability—more than 700 days old—had been fixed as well as a more recent, privately disclosed flaw, vulnerability researcher Matthew Murphy stated in a blog post.

The security researcher, a student in the information systems program at Missouri State University, is currently working with Metasploit founder HD Moore to find flaws in Internet Explorer and other browsers using data fuzzing techniques.  Murphy and others also took issue with the lack of details about Microsoft’s other security enhancements, including defense-in-depth changes and changes to how ActiveX controls are run.

Posted on 04/17