Shostack + Friends Blog Archive


Matt Murphy on Microsoft & Transparency

Microsoft needs to be much more transparent about the real nature of the threats customers are facing. Microsoft doesn’t patch phantom vulnerabilities that don’t exist or unrealistic science-fiction attack scenarios. Microsoft’s under-documentation of these vulnerabilities leaves those charged with deploying patches in a tough spot. You simply don’t know what the patches are for. It’s virtually impossible to make a determination about a deployment timeframe if not deploying a patch has the potential to place you at an additional, unknown risk. As a result, administrators may deploy patches unnecessarily, erring on the side of caution (and risking compatibility problems in the process), or they may choose not to deploy based on incomplete information. Individuals making these kinds of decisions deserve better information.

Read “Misleading and Incomplete Information in MS06-015.” I’ve long believed that systems managers need deep information to drive their decision making process, and reading tea-leaves is a bad thing.

[Update: Mike Reavy has a response in “Information regarding MS06-015.” See the final paragraph.]