Hacker Group Targets Firms that Hide Security Flaws

,----[ Quote ]
| A self-styled ethical hacker group plans to counter moves by companies that
| attempt to bury security vulnerability information in order to protect their
| businesses.


Sounds like a perfect description of Microsoft, which hides flaws and sometimes
refuses to patch them for years until massive attacks on users force them to.
Some examples below.

Just days ago:

Months-Old Excel Exploit Goes Public

,----[ Quote ]
| Microsoft labeled CVE-2008-0081 "critical" on Excel 2000, and "important" on
| Excel 2002 and 2003.
| Microsoft first acknowledged the Excel bug more than two months ago, when it
| confirmed that hackers were attacking Windows machines via Excel. At the
| time, the company's security team characterized the attacks as "targeted and
| not widespread." *



Microsoft fixes a dozen Office flaws in four patches; all are critical

,----[ Quote ]
| Microsoft today released its March 2008 security bulletin, which includes
| four bulletins, all deemed critical by Microsoft.


Bots rule in cyberspace

,----[ Quote ]
| USA TODAY REPORTS that on an average day, 40 per cent of the 800 million
| computers connected to the Internet are bots used to send out spam, viruses
| and to mine for sensitive personal data.



Microsoft quietly tackles known Wi-Fi flaw

,----[ Quote ]
| Microsoft has quietly posted an update found here. The update
| prevents a Windows wireless client on a laptop from advertising
| its preferred wireless network list to the world at large.
| But the update appears to leave open the larger problem, which
| is having your laptop connect to a criminal rogue access point
| with the same default name as one of your preferred home networks.


Vista SP1 will contain undocumented fixes

,----[ Quote ]
| Interesting email in today mailbag: *“Will SP1 contain undisclosed or
| undocumented security fixes?”
| For some people, counting the number of security flaws that one OS has
| compared to another is important because it offers a metric upon which to *
| determine which OS is the most secure (personally, I feel that it’s a bogus
| metric, but I’ll let it slide for now). *However, many claim that Microsoft
| stacks the deck in its favor by not disclosing a full list of vulnerabilities
| that have been patched by omitting to include those discovered and patched
| in-house. * * *


Critical Vulnerability in Microsoft Metrics

,----[ Quote ]
| This is a small subset of all the vulnerabilities, because the
| vulnerabilities that are found through the QA process and the vulnerabilities
| that are found by the security folks they engage as contractors to perform
| penetration testing are fixed in service packs and major updates. For
| Microsoft this makes sense because these fixes get the benefit of a full test
| pass which is much more robust for a service pack or major release than it is
| for a security update. * * *



Skeletons in Microsoft’s Patch Day closet

,----[ Quote ]
| This is the first time I’ve seen Microsoft prominently admit to silently
| fixing vulnerabilities in its bulletins — a controversial practice that
| effectively reduces the number of publicly documented bug fixes (for those
| keeping count) and affects patch management/deployment decisions. *


Beware of undisclosed Microsoft patches

,----[ Quote ]
| Forget for a moment whether Microsoft is throwing off patch counts
| that Microsoft brass use to compare its security record with those
| of its competitors. What do you think of Redmond’s silent patching
| practice?


Microsoft is Counting Bugs Again

,----[ Quote ]
| Sorry, but Microsoft's self-evaluating security counting isn't really a
| good accounting.
| [...]
| The point: Don't count on security flaw counting. The real flaw is
| the counting.