News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon

Blog Archives

  • Google Project Zero: 90-day disclosure is working, with 97.5% of reported vulns being fixed within 90 days

    Posted on August 2nd, 2019 at 10:12 woody Comment on the AskWoody Lounge

    The details are a little more complicated, but not much. Google’s Project Zero has turned up 1,434 security vulnerabilities in the past four and a half years:

    Of these, 1224 were fixed within 90 days, and a further 174 issues were fixed within the 14-day grace period [granted when it looks like the manufacturer is going to release a patch shortly]. That leaves 36 vulnerabilities that were disclosed without a patch being available to users, or in other words 97.5% of our issues are fixed under deadline.

    Realize that Google has a vested interest in saying that their disclosure policy is good for all of us — debatable, but I strongly agree — and they come to the conclusion:

    If most bugs are fixed in a reasonable timeframe (i.e. less than 90 days), then we are only enforcing the deadline on a very small number of unfixed cases. And if disclosing a handful of unfixed vulnerabilities doesn’t substantially help attackers in the short-term, but does lead to the demonstrated long term benefits of shortened patch timelines and more frequent patching cycles, then it would follow that a deadline based disclosure policy is good for user security overall.

    Interesting report. Thank to Catalin Cimpanu, who has additional observations on ZDNet.

  • MS re-re-..release (again) of KB 2952664 and KB 2976978

    Posted on June 6th, 2017 at 16:09 PKCano Comment on the AskWoody Lounge

    We’re seeing a recurrence of the two snooping patches KB2952664 for Win7 and KB2976978 for Win8.1. The last time they showed up, was on March 7th, but now they’re back……

    MS re-re-..release of KB2952664 and KB2976978

    Microsoft describes them as a “Compatibility update for keeping Windows up-to-date.”

    This update performs diagnostics on the Windows systems that participate in the Windows Customer Experience Improvement Program. The diagnostics evaluate the compatibility status of the Windows ecosystem, and help Microsoft to ensure application and device compatibility for all updates to Windows. There is no GWX or upgrade functionality contained in this update.

    They are appearing as unchecked Optional now, which means they won’t be installed unless you check the corresponding box in Windows Update.
    Their status may change next week to Recommended and, for some, they may show up as checked Important on Patch Tuesday.

  • Microsoft releases 13 Optional Windows patches

    Posted on May 20th, 2015 at 07:12 woody Comment on the AskWoody Lounge

    There’s an obscure Azure-related fix KB 3040272. If anybody can shed light on Microsoft’s explanation, I’d appreciate it!

    InfoWorld Tech Watch