Security Politics

On April 13th, MS10-024 patched it’s SMTP services on multiple platforms, stating:

This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Exchange and Windows SMTP Service. The more severe of these vulnerabilities could allow denial of service if an attacker sent a specially crafted DNS response to a computer running the SMTP service.

In this story in Security Magazine they coped some pointy ended criticism because that wasn’t an accurate description of what was patched.

Additional to that which was disclosed, was a fix for some DNS poisoning bugs which are much more severe than the disclosed denial of service. Microsoft later confessed this.

Now we all know it’s common for vendors to keep users in the dark and silently patch things. But then you can’t trust what your vendor tells you is true. Then you don’t know what changes a patch is making to your systems before you apply it. Then you can’t make any intelligent decisions about the priority of the patch.

And in the end you form a level of resentment and mistrust of your vendor that their marketing people spend squillions of dollars trying to understand.

Hiding from the truth never fixes anything.

Carlton

Posted by Carlton Duston on 12 May 2010 | 0 comments
Tagged with News

Comments

Post new comment

Your name: *

E-mail: *

The content of this field is kept private and will not be shown publicly.

Homepage:

Comment: *

• Node images can be embedded in this post. Format: [image:ID:TYPE:ALIGN:CAPTION]
  TYPE: thumb display logo
  ALIGN: left right center none
  CAPTION: <insert new> desc (image description) none
  Examples: [image:8:thumb:right:none] [image:12:display:none:Sunset]
• You can use Textile markup to format text.
• Adds typographic refinements.

More information about formatting options

4

What code is in the image?: *

Enter the characters shown in the image.