Misleading and Incomplete Information in Today's MS Bulletin


Microsoft’s Patch Tuesday has struck again. It seems, that in order to enjoy Microsoft’s recent patch days, one must really appreciate the oh-so-sweet smell of downplay.

Today was no exception. Today’s downplay of the month goes to MS06-015. That bulletin announced a patch which supposedly plugged a single “Windows Shell Vulnerability” involving the shell’s handling of COM objects. It states, rather paradoxically:

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.

[…]

Note The update for this vulnerability also addresses a publicly disclosed variation that has been assigned Common Vulnerability and Exposure number CVE-2004-2289.


According to a VIM post by Steve Christey, this vulnerability has been known since May 2004. So, let me get this straight. SecuriTeam Blogs » Misleading and Incomplete Information in MS06-015

Linked by shanmuga Wednesday, 12th April 2006 9:39PM