Comments on: Despite Security Lies and Security Failures, Microsoft Instructs Worldwide Cybersecurity Summit

By: Dr. Roy Schestowitz

Dr. Roy Schestowitz — Fri, 14 May 2010 06:06:08 +0000

That’s still an excuse for telling fake numbers.

By: Yuhong Bao

Yuhong Bao — Fri, 14 May 2010 01:01:11 +0000

Yea, one reason why this can be nasty is that the security patches can be reverse-engineered using for example the BinDiff plugin of IDA, which would provide all necessary info that would be needed to exploit them.

By: Dr. Roy Schestowitz

Dr. Roy Schestowitz — Fri, 14 May 2010 00:57:09 +0000

Yes. it is important to show that they are doing this.

Microsoft rarely gets caught because it’s hard to review binary-only patches.

By: Yuhong Bao

Yuhong Bao — Fri, 14 May 2010 00:46:53 +0000

“Note that a policy such as this implies that Microsoft will not patch known, internally-discovered vulnerabilities if an externally-sourced vulnerability of the same or lesser severity is not available for the silent patch to piggyback on. They’ll sit on it, and we won’t know for how long because they don’t document it. ”
Yea, MS seems to be trying hard to pretend like that the internally-discovered vulnerabilities do not exist, with nasty side-effects like this one.

By: Yuhong Bao

Yuhong Bao — Thu, 13 May 2010 02:14:47 +0000

“Addressing the subject of security, Microsoft spreads lies with its secret patches, which probably mean that there are fake figures in this latest ’security’ report”
Or more precisely that at best the figures include only the externally-reported ones.