Microsoft Catches Flak for Lack of Vulnerability Disclosure
News stories last week discussed a blog entry (at the URL below) by Matthew Murphy of SecuriTeam that hammered Microsoft for what Murphy thinks is a lack of adequate vulnerability disclosure. Murphy's beef with Microsoft relates to Microsoft Security Bulletin MS06-015--Vulnerability in Windows Explorer Could Allow Remote Code Execution. In a nutshell, Murphy wants Microsoft to offer more details about vulnerabilities. (MS06-015 also happens to be the security bulletin that proved to be buggy--an update was due to be released yesterday.)
Many think that Microsoft's disclosure practices border on the silent fixing of security issues. It's no secret that in the past Microsoft has silently fixed security problems and sometimes has misinformed the public about the ramifications of security problems. Microsoft and many other companies don't like the publicity related to security problems, so they try to keep matters as quiet and calm as possible.
Granted, each company is free to establish its own policies about disclosure and few are forthcoming with complete details in any given instance of vulnerability discovery. For example, Apple silently fixes security problems and rarely if ever releases any substantial details about them. But then people interested in security don't place Apple under the same microscope as Microsoft.