Last Tuesday, when Microsoft released the MS07-030 bulletin to fix a remote code execution hole in Visio, the first line in the executive summary caught my attention:

This important update resolves two privately reported vulnerabilities in addition to other security issues identified during the course of the investigation. (emphasis mine)

This is the first time I’ve seen Microsoft prominently admit to silently fixing vulnerabilities in its bulletins — a controversial practice that effectively reduces the number of publicly documented bug fixes (for those keeping count) and affects patch management/deployment decisions.

The article goes on to talk with Marc Maiffret, co-founder of eEye Digital Security, who condems this practice as both unuseful in terms of obfuscating problems from hackers as well as problematic for the Windows administrators who rely on the information, “You’re not fooling exploit writers with silent fixes. You’re only fooling your customers.”

Does this infuriate you? In a way, it should. Obfuscation as a mechanism for security rarely works.

Just ask anyone in cryptography, where the number one rule for any cryptographic algorithm is that the only way to prove its worth is to release it publicly. The algorithm should be able to stand on its own under transparent, public scrutiny.