dangers of unpublished patching Dec2005

Short story - Microsoft had a security bug in it's code that shipped with a version of Visual Studio. A researcher reported it, but M$ didn't fix it immediately. They eventually fixed it silently, but didn't tell anyone about it. Trend Micro, one of the top antivirus vendors, used the vulnerable code. Now, hundreds of thousands of installations of a software product have a security hole all because the original vuln was patched silently. Yay for corporate policy.

Read it at http://blogs.securiteam.com/index.php/archives/141

These thoughts are my own, unless they're yours. And if they're yours, we may have metaphysical problems beyond simple concept ownership and should probably talk soon.
[login]