My blogging colleague Ryan Naraine offers up some interesting food for thought regarding Microsoft's philosophy behind disclosing (or not disclosing) all of the vulnerabilities it is fixing via its patches.
Microsoft is, admittedly, silently patching certain vulnerabilities. The practice isn't unique to Microsoft, as Naraine notes. But it is controversial. Microsoft says it is doing this to thwart "the bad guys." But the silent patching also makes IT administrators' jobs more complicated.
From Naraine's blog post:
“You’re not fooling exploit writers with silent fixes. You’re only fooling your customers,” says Marc Maiffret, co-founder of eEye Digital Security.
Forget for a moment whether Microsoft is throwing off patch counts that Microsoft brass use to compare its security record with those of its competitors. What do you think of Redmond's silent patching practice?