Microsoft’s Security Claims Don’t Stand Up to Scrutiny
,----[ Quote ]
| As I said, these claims are full of issues. Here are the problems with the
| arguments: (not every such argument suffers from all these flaws, but all of
| them suffer from one or more of them)
|
| * The severity of the vulnerabilities is not included. Security
| vulnerabilities are ranked by what kind of a threat they pose. If this
| data is not included, a product with 100 minor glitches of almost no
| consequence would be considered less secure than a product with 75 major
| glitches. (The kind of thing where a hacker can take control of your
| computer.)
| * There is no consideration of the status of a vulnerability. If a
| vulnerability is quickely fixed it is counted the same as if it has been
| weeks or months and is still unfixed.
|
| * Not all companies admit to all the bugs that exist. In an open-source
| project like Ubuntu, if a bug is found and can be duplicated, it is known
| and reported, but not all companies act this way.
`----
http://www.linuxloop.com/news/2008/02/03/microsofts-security-claims-dont-stand-up-to-scrutiny/
Related:
Critical Vulnerability in Microsoft Metrics
,----[ Quote ]
| This is a small subset of all the vulnerabilities, because the
| vulnerabilities that are found through the QA process and the vulnerabilities
| that are found by the security folks they engage as contractors to perform
| penetration testing are fixed in service packs and major updates. For
| Microsoft this makes sense because these fixes get the benefit of a full test
| pass which is much more robust for a service pack or major release than it is
| for a security update.
`----
http://blog.mozilla.com/security/2007/11/30/critical-vulnerability-in-microsoft-metrics/
http://antitrust.slated.org/www.iowaconsumercase.org/011607/3000/PX03096.pdf
Skeletons in Microsoft’s Patch Day closet
,----[ Quote ]
| This is the first time I’ve seen Microsoft prominently admit to silently
| fixing vulnerabilities in its bulletins — a controversial practice that
| effectively reduces the number of publicly documented bug fixes (for those
| keeping count) and affects patch management/deployment decisions.
`----
http://blogs.zdnet.com/security/?p=316
Beware of undisclosed Microsoft patches
,----[ Quote ]
| Forget for a moment whether Microsoft is throwing off patch counts
| that Microsoft brass use to compare its security record with those
| of its competitors. What do you think of Redmond’s silent patching
| practice?
`----
http://blogs.zdnet.com/microsoft/?p=527
Microsoft is Counting Bugs Again
,----[ Quote ]
| Sorry, but Microsoft's self-evaluating security counting isn't really a
| good accounting.
|
| [...]
|
| The point: Don't count on security flaw counting. The real flaw is
| the counting.
`----
http://www.microsoft-watch.com/content/security/microsoft_is_counting_bugs_again.html?kc=MWRSS02129TX1K0000535
|
|