madison

Hardware 2.0

Adrian Kingsley-Hughes
Home / News & Blogs / Hardware 2.0

Microsoft "silently" patches vulnerabilities, leaves admins in the dark

By | May 6, 2010, 11:38am PDT

Summary: Security firm Core Security Technologies has pulled up Microsoft on its practice of silently patching as it doesn’t give system administrators the information they require to keep their systems safe.

Security firm Core Security Technologies has pulled up Microsoft on its practice of silently patching as it doesn’t give system administrators the information they require to keep their systems safe.

The two patches in question are MS10-024 and MS10-028.

These two patches contains a total of three “silent” fixes, fixes for bugs that Microsoft has uncovered internally. Microsoft’s policy on these fixes is that it doesn’t disclose them as part of the monthly disclosure list. But in this case, the practice means that the seriousness of the update is underestimated by Microsoft.

Take MS10-014. The disclosure claims that this update patches a DoS (Denial of Service) vulnerability. However, Core Security Technologies uncovered two, more serious bug fixes.

While researching the fixes issued by Microsoft in Microsoft’s Security Bulletin MS10-024 published April 13, 2010 Nicolás Economou discovered two vulnerabilities in Windows SMTP Service and Microsoft Exchange . These vulnerabilities were fixed by the patches referenced in MS10-024 but were not disclosed in the vendor’s security bulletin and did not have an unique vulnerability identifier assigned to them. As a result, the guidance and the assessment of risk derived from reading the vendor’s security bulletin may overlook or missrepresent actual threat scenarios.

An attacker may leverage the two previouly undisclosed vulnerabilities fixed by MS10-014 to spoof responses to any DNS query sent by the Windows SMTP service trivially. DNS response spoofing and cache poisoning attacks are well known to have a variety of security implications with impact beyond just Denial of Service and Information Disclosure as originally stated in MS10-024.

As a result the importance of deploying MS10-024 patches may be miss-represented in the vendor’s security bulletin. Organizations using vulnerable packages should consider re-assessing patch deployment priorities in view of the additional information provided in this advisory.

Now, we’ve known for some time that Microsoft doesn’t disclose vulnerabilities it discovers, but this is the first time that we’ve seen first-hand how not disclosing all the vulnerabilities fixed by patches can skew the seriousness of the patch itself. In the example above, MS10-024 is actually a far more important patch that the advisory issued by Microsoft would lead users to believe it is.

Microsoft - Do the right thing and start listing ALL vulnerabilities fixed by a patch!

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Hardware 2.0”

Topics

Administrator, Vulnerability, Patch Management, Security Bulletin, Microsoft Corp., Patches, Security, Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology.

Disclosure

Adrian Kingsley-Hughes

All opinions expressed on Hardware 2.0 are those of Adrian Kingsley-Hughes. Every effort is made to ensure that the information posted is accurate. If you have any comments, queries or corrections, please contact Adrian via the email link here. Any possible conflicts of interest will be posted below. [Updated: February 23, 2010] - Adrian Kingsley-Hughes has no business relationships, affiliations, investments, or other actual/potential conflicts of interest relating to the content posted so far on this blog.

Biography

Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.

Adrian has authored/co-authored technical books on a variety of topics, ranging from programming to building and maintaining PCs. His most recent books include "Build the Ultimate Custom PC", "Beginning Programming" and "The PC Doctor's Fix It Yourself Guide". He has also written training manuals that have been used by a number of Fortune 500 companies.

Adrian also runs a popular blog under the name The PC Doctor, where he covers a range of computer-related topics -- from security to repairing and upgrading.

Talkback Most Recent of 39 Talkback(s)

  • RE: Microsoft
    They should be happy that Microsoft fixed the bugs and put the patches out instead of complaining about it. Its not hurting anything by fixing more bugs, this security company needs to get a grip.
    ZDNet Gravatar
    Loverock Davidson
    6th May 2010
  • RE: Microsoft "silently" patches vulnerabilities, leaves admins in the dark
    @Loverock Davidson

    Actually it's crucial to document the fixes being applied, with that, on the off chance that anything should go wrong applying these updates, system admins have the KB documentation to fall back on, without this documentation, admins are left in the dark as to what happened and where the problem occurred.
    ZDNet Gravatar
    Cylon Centurion
    6th May 2010
  • RE: Microsoft "silently" patches vulnerabilities, leaves admins in the dark
    @NStalnecker ... I can count on one hand the number of times a "bad update" has been an issue. I'm not saying they shouldn't document, but using the excuse of a potentially bad update is just weak.
    ZDNet Gravatar
    GoodThings2Life
    6th May 2010
  • Fixing them wasn't bad. Hiding it from administrators so they didn't know..
    ..the update was important, that was bad.
    ZDNet Gravatar
    AzuMao
    6th May 2010
  • RE: Microsoft "silently" patches vulnerabilities, leaves admins in the dark
    @AzuMao ... ALL security updates are important/critical in nature, and if you're an administrator, you should treat them as such by having a regular install cycle for updates. The "whenever I get around to it" and/or "if it ain't broke" mentality makes an administrator lazy and incompetent for certain, and possibly negligent depending on the circumstance and business... and yes, I genuinely feel that way. I'm not saying rush into it blindly, but I'm saying do your homework if your concerned about stability/compatibility and then get it done.
    ZDNet Gravatar
    GoodThings2Life
    6th May 2010
  • @GoodThings2Life
    I tried to reply to your comment instead of my own, but ZDNet is just completely friggin broke since this latest overhaul. Anyways, what I wanted to say was that Microsoft didn't let anyone know there was a security patch to apply. They just silently slipped it in for those with automatic updates, and said nothing.
    ZDNet Gravatar
    AzuMao
    7th May 2010
  • Did you check the accuracy of the report first?
    Adrian, did you do the journalism 101 thing of checking the accuracy of the report with Microsoft first? The fact that you didn't mention doing so suggest you didn't do this basic thing.

    I'm not saying the report is wrong, mind you.

    What really ticks me off is web journalism that seems to have forgotten all the basic lessons from print journalism, one of which is, check your facts before publishing.
    ZDNet Gravatar
    easson
    6th May 2010
  • Do you have any valid reasons to question the accuracy of the report?
    If you have then please put those reasons forward in addition to your insinuation that to me looks like an attempt at discrediting a seemingly perfectly valid report issued by a reputable company ( Core Security Technologies.)
    ZDNet Gravatar
    OS Reload
    6th May 2010
  • RE: Microsoft "silently" patches vulnerabilities, leaves admins in the dark
    @OS Reload

    If you had read what I actually wrote, I was not in any way disputing the veracity of the report itself.

    My concern is the way that Web journalism makes no attempt at checking the validity of what it reports on. If this had been, say, a radio report, you would almosr certainly have heard something to the effect of "We attempted to reach Microsoft for their comments, but could not reach them", or "We reached Microsoft, but they refused to comment".

    The fact that there is no such statement on this blog posting is just another sad comment on the poor state of web journalism.
    ZDNet Gravatar
    easson
    6th May 2010
  • RE: But you ARE attacking the accuracy of the report.
    @OS Reload
    I have to agree with OS Reload. You even question the accuracy of the report in your Subject. If you have evidence to the contrary then you should have posted it instead of attacking thier credibility without an actual arguement. You say "I'm not saying the report is wrong, mind you." and yet your whole premise for commenting was to question the accuracy of the report.
    ZDNet Gravatar
    b5nut
    7th May 2010
  • RE:Do you have any valid reasons to question the accuracy of the report?
    Web journalism does not appear to be held to the same standards nor follows the same rules as print or broadcast journalism. In print and broadcast the rules and standards are institutionalized. On the web, it is up to the journalist, with no credible oversight that I can see, as to which rules and/or standards he will adopt or adhere to. With this as a given, everything on the web is, at the very least, suspect.
    ZDNet Gravatar
    richdave
    7th May 2010
  • I'm with easson
    @OS Reload et al- To me it looks like the site revamp has been used as a thin veil to try to conceal the fact that ZDNet can no longer afford the quality of articles it used to provide. This article hardly seems up Mr. Hughes' original standards, four short paragraphs, a sentence and mostly something cited from somewhere else. For this kind of reporting I could go to Slate.com.
    ZDNet Gravatar
    valvestate@...
    7th May 2010
  • Right because it's not like Microsoft might be biased in favor of Microsoft
    ZDNet Gravatar
    AzuMao
    6th May 2010
  • Well, Microsoft DID release patches but no info on what exactly was patched
    leaving admins in the dark.

    I can't see how you can put that into question. It is a fact, there's no way for you to get around that.

    Besides, Microsoft??????s policy on these fixes is that it doesn??????t disclose them as part of the monthly disclosure list. With a policy like that in place I wish you good luck when trying to reach Microsoft for comment.
    ZDNet Gravatar
    OS Reload
    6th May 2010
  • I guess you don't live in a country where unbiased journalism is valued
    @OS Reload

    Once again, look atw hat I wrote. I was not questioning the varacity of the report. I was questioning the journalistic integrity of the blogger. Maybe you live in a country (US???) where integrity in reporting is now so foreign a concept that you are shocked by the suggestion.
    ZDNet Gravatar
    easson
    6th May 2010
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources