diTii.com Digital News Hub

Sign up with your email address to be the first to know about latest news and more.

I agree to have my personal information transfered to MailChimp (more information)


Microsoft “If several flaws share all same properties, they willn’t be reported separately”

Microsoft doesn’t report all security vulnerabilities that it fixes, “We don’t document every issue found. Microsoft’ll issue Common Vulnerabilities and Exposures number to vulnerability for flaws that share same severity properties, they willn’t be reported separately,” Mike Reavey said.

The nondisclosure of fixes was brought to light by Core Security Technologies, after studying security bulletin MS10-024 / 028, it noticed three silent fixes. MS10-028 addressed a flaw that would expose a user of Microsoft Visio to a buffer overflow attack, which would allow an attacker to take over control of system. Microsoft didn’t report additional flaws it patched in Visio because: “The attack vector was exactly same, severity was exactly same. From a customer’s perspective, same workaround — not opening Visio documents from untrusted sources — applied,” Reavey.

Adobe too is keeping quiet about internal vulnerability fixes. At a Microsoft event, Adobe’s Brad Arkin, admitted that it won’t assign CVE numbers to bugs that the firm found itself. Adobe considers these updates “code improvements,” Arkin said. CVE numbers are used only for bugs that’re actively exploited or that were reported by external researchers.


Share This Story, Choose Your Platform!

Get Latest News

Subscribe to Digital News Hub

Get our daily newsletter about the latest news in the industry.
First Name
Last Name
Email address
Secure and Spam free...