Linux news

2007 07 12

Microsoft Lying About Number of Patches Again?

Microsoft fixes 11 vulnerabilities - 8 'critical' - on Patch Tuesday

Microsoft released six patches covering 11 vulnerabilities on July's Patch Tuesday, including "critical" fixes impacting Active Directory on Windows 2000 and 2003 Server and .Net Framework products. In all, Microsoft rated eight of the 11 now-patched vulnerabilities as critical.

http://s5h.net/u?ze5e2
They said it would be just 3, not 8. Numbers vary, but it's always more than 3 "critical" vulnerabilities:
http://s5h.net/u?z4fcc2

http://s5h.net/u?z200e

http://s5h.net/u?z1bfe
Related: Microsoft patches Active Directory flaw

The MS07-039 Active Directory update, which is for Windows 2000 Server and Windows Server 2003 systems, should be at the top of enterprise IT administrators' lists, said Eric Schultze, chief security architect with Shavlik Technologies. "That one scares me because those are the crown jewels there. And it looks like you're caught with your pants down at the moment." [...] The flaw deals with the way Active Directory processes LDAP client requests. Attackers could create a malicious LDAP request that would then allow them to "take complete control of an affected system," Microsoft warned in its advisory on the flaw.

http://s5h.net/u?zc3ca
Skeletons in Microsoft's Patch Day closet

This is the first time I've seen Microsoft prominently admit to silently fixing vulnerabilities in its bulletins - a controversial practice that effectively reduces the number of publicly documented bug fixes (for those keeping count) and affects patch management/deployment decisions.

http://s5h.net/u?zd675b
Beware of undisclosed Microsoft patches

Forget for a moment whether Microsoft is throwing off patch counts that Microsoft brass use to compare its security record with those of its competitors. What do you think of Redmond's silent patching practice?

http://s5h.net/u?z08a9