Critical Update: Broadcom Modem, why no documentation?

I recently visited Windows Update and saw the following
update in the critical updates section: "Broadcom
Corporation modem software update released on August 27
2003". I downloaded it and later noted that it installed a
file, "BCMSMMSG.exe", in the "run" section of the registry.

Here is my concern. First, there was virtually NO
INFORMATION available from Microsoft when I downloaded this
critical update. There was not, in other words, the usual
article (or bulletin) that you could read that explained
the reason for the update and the security hole that it as
designed to fix. Second, it is very unusual (in my
experience over the last five years, anyway) for a
non-Microsoft product to be part of a critical update.

I spoke with MSFT tech support about this, and after some
investigation by the tech person, I was told that the
update is legitimate, but that THERE IS NO PUBLIC
INFORMATION AVAILABLE on this issue.

I'm glad that the update is legitimate (assuming that what
I was told is accurate), but I am not satisfied with the
complete lack of any documentation for an update,
particularly one in the "Critical" category. How can a
user evaluate an update if he has no idea whatsoever what
the update is designed to fix and what it does? And
doesn't the absence of information make it impossible for
the user to assess over time the quality of the OS and the
modem that he is running? Could this become a trend --
just install this update, we are not telling you what it
is, trust us -- in the future?

Does anyone have any insight into this situation or
thoughts about this?


Thanks.

George

>-----Original Message-----
>I recently visited Windows Update and saw the following
>update in the critical updates section: "Broadcom
>Corporation modem software update released on August 27
>2003". I downloaded it and later noted that it
installed a
>file, "BCMSMMSG.exe", in the "run" section of the
registry.
>
>Here is my concern. First, there was virtually NO
>INFORMATION available from Microsoft when I downloaded
this
>critical update. There was not, in other words, the
usual
>article (or bulletin) that you could read that explained
>the reason for the update and the security hole that it
as
>designed to fix. Second, it is very unusual (in my
>experience over the last five years, anyway) for a
>non-Microsoft product to be part of a critical update.
>
>I spoke with MSFT tech support about this, and after
some
>investigation by the tech person, I was told that the
>update is legitimate, but that THERE IS NO PUBLIC
>INFORMATION AVAILABLE on this issue.
>
>I'm glad that the update is legitimate (assuming that
what
>I was told is accurate), but I am not satisfied with the
>complete lack of any documentation for an update,
>particularly one in the "Critical" category. How can a
>user evaluate an update if he has no idea whatsoever
what
>the update is designed to fix and what it does? And
>doesn't the absence of information make it impossible
for
>the user to assess over time the quality of the OS and
the
>modem that he is running? Could this become a trend --
>just install this update, we are not telling you what it
>is, trust us -- in the future?
>
>Does anyone have any insight into this situation or
>thoughts about this?
>
>
>Thanks.
>
>George
>.
>George,
I feel the same way, with one exception. After being
attacked by a virus which took down my modem, it crashed
it. I couldn't believe that all of a sudden I had no
modem. Anyway, I had to remove and reinstall my modem to
get it back on line. When this update came out,my
thoughts were that if this helps preventing another
attack on my modem great. But as with you I couldn't get
any information on this critical update and prayed that
it was good for it was on Microsoft update page. I still
wonder what the fix is on the Broadcom Modem with this
update.

George wrote:

> I'm glad that the update is legitimate (assuming that what
> I was told is accurate), but I am not satisfied with the
> complete lack of any documentation for an update,
> particularly one in the "Critical" category. How can a
> user evaluate an update if he has no idea whatsoever what
> the update is designed to fix and what it does? And
> doesn't the absence of information make it impossible for
> the user to assess over time the quality of the OS and the
> modem that he is running? Could this become a trend --
> just install this update, we are not telling you what it
> is, trust us -- in the future?
>
> Does anyone have any insight into this situation or
> thoughts about this?
>

Only thoughts that spring to mind are that as such an update would come from
broadcom, the lack of public documentation may well be connected to them, so
you might consider directing your enquiries and annoyance to them.

Secondly, as annoyed as you feel about this happening this way, which I
would agree is far from ideal, would you feel more or less annoyed if nobody
posted a fix and whatever hole it patches up was used to attack your
computer?

--
--
Rob Moir, Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Kazaa - Software update services for your Viruses and Spyware.

Of course, I'm glad that MSFT posted a fix. But, as the
update is not simply a driver update -- it actually changed
something beyond the driver component in the Windows *OS*
itself according to MSFT tech support -- and MSFT is the
source for it, I think MSFT should have published the usual
documentation.

I appreciate your input.

George

>-----Original Message-----
>George wrote:
>
>> I'm glad that the update is legitimate (assuming that
what
>> I was told is accurate), but I am not satisfied with the
>> complete lack of any documentation for an update,
>> particularly one in the "Critical" category. How can a
>> user evaluate an update if he has no idea whatsoever
what
>> the update is designed to fix and what it does? And
>> doesn't the absence of information make it impossible
for
>> the user to assess over time the quality of the OS and
the
>> modem that he is running? Could this become a trend --
>> just install this update, we are not telling you what it
>> is, trust us -- in the future?
>>
>> Does anyone have any insight into this situation or
>> thoughts about this?
>>
>
>Only thoughts that spring to mind are that as such an
update would come from
>broadcom, the lack of public documentation may well be
connected to them, so
>you might consider directing your enquiries and annoyance
to them.
>
>Secondly, as annoyed as you feel about this happening this
way, which I
>would agree is far from ideal, would you feel more or less
annoyed if nobody
>posted a fix and whatever hole it patches up was used to
attack your
>computer?
>
>--
>--
>Rob Moir, Microsoft MVP for servers & security
>Website - http://www.robertmoir.co.uk
>Virtual PC 2004 FAQ - http://www.robertmoir.co.
uk/win/VirtualPC2004FAQ.html
>
>Kazaa - Software update services for your Viruses and
Spyware.
>
>
>.
>