Arce argued that that was exactly what Microsoft did in the case of MS10-024. "They fixed a very similar vulnerability in MS08-037 two years ago," he said, talking about the critical 2008 patch to plug the DNS vulnerabilities Kaminsky discovered . "If it wasn't a vulnerability then, why did they issue a vulnerability bulletin?" asked Arce. "There's no reasonable way for them to say this isn't a security problem."
"There is no easy answer for the vendor or customer," Storms said. "If the vendor distributed a critical patch, but with little information, like Adobe for example, we would all be hammering on the vendor for more information. On the other hand, given the workload on enterprise security teams we need to trust the vendor's rating to help determine priority."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com .
Read more about security in Computerworld's Security Knowledge Center.