Security firm reveals Microsoft's 'silent' patches

Microsoft acknowledges fixing internally-found flaws without disclosing details

By , Computerworld |  Security, Microsoft, Microsoft Exchange

Arce argued that that was exactly what Microsoft did in the case of MS10-024. "They fixed a very similar vulnerability in MS08-037 two years ago," he said, talking about the critical 2008 patch to plug the DNS vulnerabilities Kaminsky discovered . "If it wasn't a vulnerability then, why did they issue a vulnerability bulletin?" asked Arce. "There's no reasonable way for them to say this isn't a security problem."

"There is no easy answer for the vendor or customer," Storms said. "If the vendor distributed a critical patch, but with little information, like Adobe for example, we would all be hammering on the vendor for more information. On the other hand, given the workload on enterprise security teams we need to trust the vendor's rating to help determine priority."

Core's advisories on the silent patching of MS10-024 and MS10-028 are available on its Web site.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Knowledge Center.


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.

     

    Learn more

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question