Microsoft fixes bugs when you are not looking

Vole accused of misleading customers

A SECURITY researcher who worked with Microsoft's Security Response Centre has accused Vole of pulling the wool over the eyes of its customers.
Matthew Murphy claims that Microsoft is secretly fixing security vulnerabilities and deliberately hiding details about patches in its monthly security bulletins.

He said that the software maker of misleading customers by not clearly spelling out exactly what is being patched in its bulletins.

The last bulletin was rated "critical" and contained patches for a hole in Explorer. But when Murphy scanned the fine print in the bulletin he discovered that the update also fixed a flaw which had been labelled as a "publicly disclosed variation" of a flaw that was reported in May 2004.

In other words, it was a flaw someone had found privately and told Vole about it. Vole had fixed it and labelled it in fairly nebulous terms in the hope that no-one would spot it.

Murphy told Eweek that another "throwaway line" in the bulletin also raised questions about whether a flaw he reported in August 2005 had also been silently fixed.

Murphy said that users didn’t know what the patches were for and it was impossible to make a decision about a deployment time frame.


Related Links:

• Go back to category Internet & Networks to read more reviews and articles.
• Go back to Software Magazine's main page.