[This was originally published on the OSVDB blog.]
Sure, the news that Microsoft silently patches vulnerabilities made the rounds. But honestly, who was surprised in the least? We’ve all known it is a common practice among many vendors, not just Microsoft. As you may have guessed, the reasoning behind this practice is a commonly heard justification:
“We want to make sure we don’t give attackers any [additional] information that could be used against our customers. There is a balance between providing information to assess risk and giving out information that aids attackers,” Mike Reavey said.
OK, we can buy that up to a certain point. So how about just saying “This patch also fixed X internally discovered vulnerabilities during internal audits.” At least give us an idea just how big the patch really is and help us figure out just how many vulnerabilities are being patched. That doesn’t give the bad guys enough information to act on.