Silent patches in IE?

Talk about internet security, computer security, personal security, your social security number...
Post Reply
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Silent patches in IE?

Post by Alan Baxter »

If I recall correctly, Microsoft has a history of including silent patches in some of its software updates, i.e. occasionally some patched vulnerabilities that are discovered internally or reported privately aren't detailed in the release notes. Hence, in another forum I said:
Alan wrote:New vulnerabilities are being discovered all the time. Most of them are kept secret until they're fixed, but some of the browsers don't report their vulnerabilities even after they're fixed. Except for Firefox: in its release notes it reports all of the vulnerabilities that are fixed in each release.
A subsequent poster replied:
Fx Lover wrote:At any rate, I LOVE FF as it reports anything it fixed!
And then another poster, who has a history of being an IE defender, replied:
IE User wrote:So does Chrome, IE, Opera and Safari.
Now I don't want to start another browser flame war. I think IE is a pretty good browser and doesn't need to be defended. I just prefer Firefox. But I don't think I'm mistaken about Microsoft's silent updates.
Microsoft criticized for silent patches
Skeletons in Microsoft's Patch Day closet

Can anyone recommend better source material, possibly including something IE specific?

I've pretty much decided not to derail the thread in the other forum with an off-topic debate, or pointlessly aggravate the IE defender, so I guess my request might be only of academic interest. Then again, with sufficient ammunition, I might... :twisted:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Silent patches in IE?

Post by therube »

Some discussion along the same lines here, Windows Vista the Most Secure Operating System.

There have been a number of "metrics" done by Mozilla or Mozilla related/interested parties comparing aspects of browsers. Be it JavaScript performance or bugs or time to fix bugs ... Just don't ask me where to find them.

Measure What Matters – The SEC Essentials

http://blog.mozilla.com/security/?s=metric
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090716 SeaMonkey/2.0b1pre
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: Silent patches in IE?

Post by luntrus »

Hi Alan Baxter,

Security is not always the main aim of the silent patch, but silent updates boost adoption of updates.
As adoption of updates is there for the users that cannot seem to critically update and so putting other users at risk, this is a good thing. Secunia PSI should be widely adopted to make a big difference, also where overall security is concerned.
Why good for some browsers it could be be a bad concept in others, because users still use various browser versions and extensions, etc.
In the case of GoogleChrome silent patches are a big advancement, but on the other side SrWare's Iron never followed this policy, it does not even have an automatic updater. The user has to act out of his or her own personal responsibility.
Silent updates, upgrades, patches - all right, but there always should be a way out in the form of an opt-out.
There could be incompatibilities why a particular user would object to a particular silent patch, and circumstances where silent patches should be welcomed as never before. It all depends.
Let us start a discussion about the benefits and the disadvantages (non-browser-specific), I am looking forward to the opinions of our other forum members. Boy, how much this InformAction forum has already brought me - good observations, insights, analytical know-how. I am grateful to all of you, I really am,

Damian aka luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090719 Shiretoko/3.5.1pre
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Silent patches in IE?

Post by therube »

Well if there were an opt-out or any other type of notification, then the updates would no longer be "silent".

Perhaps instead of "silent" we should call it "undisclosed".

Microsoft publishes in advance lists of changes (updates) that are to be expected for the following "second Tuesday" updates.
But, also included in with these updates - sometimes, are changes (updates) that they have not disclosed.
When a company is doing due diligence to verify that their apps will not break, they can only work with the information on hand.
So they do so, figuring all will be OK, but then they come to find out that something broke. And the cause may have been something that was not disclosed.

PS: Any known high security Mozilla updates are hidden from the general populous as they are being worked on - until such time as someone independently discloses the vulnerability at hand. (At that point, as it is then public knowledge, it is worthless to keep the discussion hidden.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090716 SeaMonkey/2.0b1pre
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Silent patches in IE?

Post by Alan Baxter »

Hi, Damian. I'm not talking about silent updates. If not here, I've advocated for them in the Avast forums. Silent Updates:
http://www.techzoom.net/publications/silent-updates/
http://www.thetechherald.com/article.ph ... r-security
http://searchsecurity.techtarget.com/ne ... 58,00.html

As therube has just explained, I'm talking about an update, silent or otherwise, that contains vulnerability patches which aren't enumerated in the update's release notes, i.e. silent patches. Silent patches are referred to in the links in my original post.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Post Reply