Microsoft puts Mac users at risk with patch policy, says SANS researcher

“A security researcher has called foul on Microsoft for doing exactly what it has thrashed hackers over for years: revealing information that can be used to hijack computers before a patch is available,” Gregg Keizer reports for Computerworld.

“Swa Frantzen, one of the analysts at SANS Institute’s Internet Storm Center (ISC) criticized Microsoft for issuing patches yesterday that fix the Windows versions of PowerPoint while announcing that patches for the same flaws in the Mac editions would not be released until June,” Keizer reports.

“‘Microsoft is the one big company screaming loudest over ‘responsible disclosure,’ said Frantzen in a post to the ISC blog late Tuesday. Responsible disclosure, a practice Microsoft has aggressively pushed, demands that researchers delay any disclosure until the bug has been patched. ‘They want an unlimited amount of time to release their patches before those who found the problem are allowed to publish,’ said Frantzen. ‘[But the] policy cuts both ways: You need to obey the rules yourself just as well as demand it from all others involved,'” Keizer reports.

“Microsoft, claimed Frantzen, broke its own rules of responsible disclosure yesterday by revealing that Office for Mac 2004 and Office for Mac 2008 contain three unpatched vulnerabilities, and by releasing information about the same bugs in Windows. The combination, he said, could be used by hackers to craft exploits targeting Macs,” Keizer reports. “‘We all know from past experience [that] the reverse engineering of patches back into exploits starts at the time — if not before — the patches are released,’ said Frantzen. ‘So in the end, Microsoft just released what hackers need to attack.'”

Full article here.

MacDailyNews Take: Yet another reason, as if you needed any, to not use PowerPoint and instead use Apple’s vastly superior Keynote.

[Thanks to MacDailyNews Reader “Cubert” for the heads up.]

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.