Researcher says Microsoft patches need more info

A security researcher with a working relationship with Microsoft said this week that the Redmond, Wash.,-based software giant should be more forthcoming in its patch releases.

Matt Murphy said Wednesday on the SecureiTeam blog that Microsoft used semantics in its latest Patch Tuesday release to downplay the threats that face the company's software.

"Microsoft needs to be much more transparent about the real nature of the threats customers are facing. Microsoft doesn't patch phantom vulnerabilities that don't exist or unrealistic science-fiction attack scenarios," Murphy said. "Microsoft's under-documentation of these vulnerabilities leaves those charged with deploying patches in a tough spot. You simply don't know what the patches are for. It's virtually impossible to make a determination about a deployment timeframe if not deploying a patch has the potential to place you at additional, unknown risk."

Microsoft released five security bulletins – three of which were deemed critical – on Tuesday as part of its monthly patch distribution process.

Some experts had urged Microsoft to release the patch early.

A Microsoft spokesman said today that the company, which "(views) his blog posting as welcome feedback on how we can continue to improve our security bulletins," releases an appropriate amount of information that malicious users can not use to their advantage.

"As is our normal practice for security bulletins, we document the existence of any additional defense-in-depth product behavioral changes, as well as the area of functionality where the change occurred, so that customers can assess the impact to their environments," said the spokesperson. "However, providing more detail on internal product changes could serve to aid attackers."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.