Some security researchers took issue last week with little-documented changes made by Microsoft to Windows in the last batch of security updates, but the software giant responded in a blog posting on Saturday that sometimes less information means better security.
The criticism focused on a two issues in Microsoft's security bulletin documenting the changes to Windows systems by a patch released last Tuesday. The advisory stated that the vulnerability being fixed was privately reported but that a "variation" of the flaw had been publicly disclosed in May 2004. Microsoft should have stated that the original vulnerability--more than 700 days old--had been fixed as well as a more recent, privately disclosed flaw, vulnerability researcher Matthew Murphy stated in a blog post.
"The information as published is extremely misleading and Microsofts choice not to document a publicly-reported vulnerability is not one that will be for the benefit of its customers security," wrote Murphy. The security researcher, a student in the information systems program at Missouri State University, is currently working with Metasploit founder HD Moore to find flaws in Internet Explorer and other browsers using data fuzzing techniques.
Murphy and others also took issue with the lack of details about Microsoft's other security enhancements, including defense-in-depth changes and changes to how ActiveX controls are run.
However, Microsoft defended the software changes.
"As is our normal practice for security bulletins, we document the existence of any additional defense in depth product behavioral changes, as well as the area of functionality where the change occurred so that customers can assess the impact to their environments," Mike Reavey, security program manager for Microsoft, wrote Saturday on the Microsoft Security Response Center (MSRC) blog. "However, providing more detail on internal product changes could serve to aid attackers."
CORRECTION: The article attributed the Microsoft statement to the wrong member of the Microsoft Security Response Center (MSRC). While Stephen Toulouse apparently posted the comment, the blog attributes the statement to Mike Reavey, also a security program manager at the MSRC.
Posted by: Robert Lemos