It sounds easy, in theory, but all security is a trade-off – how much time does not publishing the full details buy us? Halvar Flake decided to find out for last month’s critical flaw in Internet Explorer, and was able to pinpoint the PNG vulnerability within 20 minutes.
No Avoiding Full Disclosure
Vendors, such as Microsoft, have sometimes released security patches without specifying exactly what is being fixed. The vendor justifies this by saying that it is to prevent the bad guys exploiting the flaw on unpatched systems. Security analysts counter this, saying that, theoretically, comparing the patched and unpatched software, and reverse-engineering the differences will reveal flaw.