Microsoft's Security Disclosures Come Under Fire
Is Microsoft silently fixing security vulnerabilities and deliberately obfuscating details about patches in its monthly security bulletins?
Matthew Murphy, a security researcher who has worked closely with the MSRC (Microsoft Security Response Center) in the past, is accusing the software maker of "misleading" customers by not clearly spelling out exactly what is being patched in the MS06-015 bulletin released on April 11.
http://www.eweek.com/article2/0,1895,1949279,00.asp
Response of Microsoft on the above is in http://blogs.technet.com/msrc/archive/2006/04/15/425311.aspx
"Another question I’ve gotten is around the defense in depth change documented in MS06-015. There’s been some confusion around that I think, but as is our normal practice for security bulletins, we document the existence of any additional defense in depth product behavioral changes, as well as the area of functionality where the change occurred so that customers can assess the impact to their environments. However, providing more detail on internal product changes could serve to aid attackers. Suffice to say the change is *not* related to a software vulnerability, merely a product behavior change to make the product more resilient to attack. There’s been some feedback we can make that more clear so we will work to do so in the future. On the whole, customers have been clear that we need to strike a balance between providing information to assess risk, and aiding attackers. But as our constant readers know, the information in our security bulletins has become more and more detailed over time so we certainly will be listening to your feedback about the information we provide to make the bulletins better."