-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Microsoft Official Admits to Quiet Security Patching
,----[ Quote ]
| Microsoft doesn't report all security
| vulnerabilities that it fixes in its
| software. Bug comparisons between vendors
| therefore paint an incorrect picture.
|
| "We don't document every issue found," Mike
| Reavey, director of the Microsoft Security
| Response Center (MSRC), said at a meeting
| with reporters at the company's corporate
| headquarters in Redmond, Washington.
|
| Microsoft will issue a Common
| Vulnerabilities and Exposures (CVE) number
| to a vulnerability for flaws that share the
| same severity, have an attack vector and a
| workaround. If several flaws share all the
| same properties, they will not be reported
| separately, Reavey said.
|
| The nondisclosure of fixes was brought to
| light early this month by a company called
| Core Security Technologies. After studying
| the Microsoft patches MS10-024 and
| MS10-028, it noticed three silent fixes.
| Security bulletin MS10-028 addressed a
| flaw that would expose a user of Microsoft
| Visio to a buffer overflow attack, which
| would allow an attacker to take over
| control of the system.
`----
http://www.pcworld.com/article/197410/microsoft_official_admits_to_quiet_security_patching.html
Recent:
Microsoft issues 'silent' patches; AT&T to pay for slow DSL speeds
http://www.networkworld.com/podcasts/360/2010/050610-nw360-daily.html
Microsoft "silently" patches vulnerabilities, leaves admins in the dark
http://www.zdnet.com/blog/hardware/microsoft-silently-patches-vulnerabilities-leaves-admins-in-the-dark/8239
Security Firm Makes Noise About Microsoft Silent Patching
,----[ Quote ]
| Note that a policy such as this implies that
| Microsoft will not patch known, internally-
| discovered vulnerabilities if an externally-
| sourced vulnerability of the same or lesser
| severity is not available for the silent
| patch to piggyback on. They'll sit on it, and
| we won't know for how long because they don't
| document it.
`----
http://blogs.pcmag.com/securitywatch/2010/05/security_firm_makes_noise_abou.php
US government finally admits most piracy estimates are bogus
,----[ Quote ]
| We've all seen the studies trumpeting
| massive losses to the US economy from
| piracy. One famous figure, used literally
| for decades by rightsholders and the
| government, said that 750,000 jobs and up to
| $250 billion a year could be lost in the US
| economy thanks to IP infringement. A couple
| years ago, we thoroughly debunked that
| figure. For years, Business Software
| Alliance reports on software piracy assumed
| that each illicit copy was a lost sale. And
| the MPAA's own commissioned study on movie
| piracy turned out to overstate collegiate
| downloading by a factor of three.
|
| Can we trust any of these claims about
| piracy?
|
| The US doesn't think so. In a new report out
| yesterday, the government's own internal
| watchdog took a close look at "efforts to
| quantify the economic effects of counterfeit
| and pirated goods." After examining all the
| data and consulting with numerous experts
| inside and outside of government, the
| Government Accountability Office concluded
| (PDF) that it is "difficult, if not
| impossible, to quantify the economy-wide
| impacts."
`----
http://arstechnica.com/tech-policy/news/2010/04/us-government-finally-admits-most-piracy-estimates-are-bogus.ars
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkwF5J0ACgkQU4xAY3RXLo4p2wCfUAe4gyCJn5XiePS38xjVd+EB
s2YAmQEzA/G5rA5FWeeXupHn0p0hf5Nj
=uiCI
-----END PGP SIGNATURE-----
|
|