Microsoft "silently" patches vulnerabilities, leaves admins in the dark

Microsoft "silently" patches vulnerabilities, leaves admins in the dark

Summary: Security firm Core Security Technologies has pulled up Microsoft on its practice of silently patching as it doesn't give system administrators the information they require to keep their systems safe.

SHARE:
TOPICS: Microsoft, Security
39

Security firm Core Security Technologies has pulled up Microsoft on its practice of silently patching as it doesn't give system administrators the information they require to keep their systems safe.

The two patches in question are MS10-024 and MS10-028.

These two patches contains a total of three "silent" fixes, fixes for bugs that Microsoft has uncovered internally. Microsoft's policy on these fixes is that it doesn't disclose them as part of the monthly disclosure list. But in this case, the practice means that the seriousness of the update is underestimated by Microsoft.

Take MS10-014. The disclosure claims that this update patches a DoS (Denial of Service) vulnerability. However, Core Security Technologies uncovered two, more serious bug fixes.

While researching the fixes issued by Microsoft in Microsoft's Security Bulletin MS10-024 published April 13, 2010 Nicolás Economou discovered two vulnerabilities in Windows SMTP Service and Microsoft Exchange . These vulnerabilities were fixed by the patches referenced in MS10-024 but were not disclosed in the vendor's security bulletin and did not have an unique vulnerability identifier assigned to them. As a result, the guidance and the assessment of risk derived from reading the vendor's security bulletin may overlook or missrepresent actual threat scenarios.

...

An attacker may leverage the two previouly undisclosed vulnerabilities fixed by MS10-014 to spoof responses to any DNS query sent by the Windows SMTP service trivially. DNS response spoofing and cache poisoning attacks are well known to have a variety of security implications with impact beyond just Denial of Service and Information Disclosure as originally stated in MS10-024.

As a result the importance of deploying MS10-024 patches may be miss-represented in the vendor's security bulletin. Organizations using vulnerable packages should consider re-assessing patch deployment priorities in view of the additional information provided in this advisory.

Now, we've known for some time that Microsoft doesn't disclose vulnerabilities it discovers, but this is the first time that we've seen first-hand how not disclosing all the vulnerabilities fixed by patches can skew the seriousness of the patch itself. In the example above, MS10-024 is actually a far more important patch that the advisory issued by Microsoft would lead users to believe it is.

Microsoft - Do the right thing and start listing ALL vulnerabilities fixed by a patch!

Topics: Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

39 comments
Log in or register to join the discussion
  • RE: Microsoft

    They should be happy that Microsoft fixed the bugs and put the patches out instead of complaining about it. Its not hurting anything by fixing more bugs, this security company needs to get a grip.
    Loverock Davidson
    • RE: Microsoft "silently" patches vulnerabilities, leaves admins in the dark

      @Loverock Davidson

      Actually it's crucial to document the fixes being applied, with that, on the off chance that anything should go wrong applying these updates, system admins have the KB documentation to fall back on, without this documentation, admins are left in the dark as to what happened and where the problem occurred.
      The one and only, Cylon Centurion
      • RE: Microsoft "silently" patches vulnerabilities, leaves admins in the dark

        @NStalnecker ... I can count on one hand the number of times a "bad update" has been an issue. I'm not saying they shouldn't document, but using the excuse of a potentially bad update is just weak.
        GoodThings2Life
    • Fixing them wasn't bad. Hiding it from administrators so they didn't know..

      ..the update was important, that was bad.
      AzuMao
      • RE: Microsoft "silently" patches vulnerabilities, leaves admins in the dark

        @AzuMao ... ALL security updates are important/critical in nature, and if you're an administrator, you should treat them as such by having a regular install cycle for updates. The "whenever I get around to it" and/or "if it ain't broke" mentality makes an administrator lazy and incompetent for certain, and possibly negligent depending on the circumstance and business... and yes, I genuinely feel that way. I'm not saying rush into it blindly, but I'm saying do your homework if your concerned about stability/compatibility and then get it done.
        GoodThings2Life
      • @GoodThings2Life

        I tried to reply to your comment instead of my own, but ZDNet is just [i]completely[/i] friggin broke since this latest overhaul. Anyways, what I wanted to say was that Microsoft didn't let anyone know there was a security patch to apply. They just silently slipped it in for those with automatic updates, and said nothing.
        AzuMao
  • Did you check the accuracy of the report first?

    Adrian, did you do the journalism 101 thing of checking the accuracy of the report with Microsoft first? The fact that you didn't mention doing so suggest you didn't do this basic thing.

    I'm not saying the report is wrong, mind you.

    What really ticks me off is web journalism that seems to have forgotten all the basic lessons from print journalism, one of which is, check your facts before publishing.
    easson
    • Do you have any valid reasons to question the accuracy of the report?

      If you have then please put those reasons forward in addition to your insinuation that to me looks like an attempt at discrediting a seemingly perfectly valid report issued by a reputable company (<i>Core Security Technologies</i>.)
      OS Reload
      • RE: Microsoft "silently" patches vulnerabilities, leaves admins in the dark

        @OS Reload

        If you had read what I actually wrote, I was not in any way disputing the veracity of the report itself.

        My concern is the way that Web journalism makes no attempt at checking the validity of what it reports on. If this had been, say, a radio report, you would almosr certainly have heard something to the effect of "We attempted to reach Microsoft for their comments, but could not reach them", or "We reached Microsoft, but they refused to comment".

        The fact that there is no such statement on this blog posting is just another sad comment on the poor state of web journalism.
        easson
      • RE: But you ARE attacking the accuracy of the report.

        @OS Reload<br>I have to agree with OS Reload. You even question the accuracy of the report in your Subject. If you have evidence to the contrary then you should have posted it instead of attacking thier credibility without an actual arguement. You say "I'm not saying the report is wrong, mind you." and yet your whole premise for commenting was to question the accuracy of the report.
        b5nut
      • RE:Do you have any valid reasons to question the accuracy of the report?

        Web journalism does not appear to be held to the same standards nor follows the same rules as print or broadcast journalism. In print and broadcast the rules and standards are institutionalized. On the web, it is up to the journalist, with no credible oversight that I can see, as to which rules and/or standards he will adopt or adhere to. With this as a given, everything on the web is, at the very least, suspect.
        richdave
      • I'm with easson

        @OS Reload et al- To me it looks like the site revamp has been used as a thin veil to try to conceal the fact that ZDNet can no longer afford the quality of articles it used to provide. This article hardly seems up Mr. Hughes' original standards, four short paragraphs, a sentence and mostly something cited from somewhere else. For this kind of reporting I could go to Slate.com.
        valvestate@...
    • Right because it's not like Microsoft might be biased in favor of Microsoft

      [b] [/b]
      AzuMao
    • Well, Microsoft DID release patches but no info on what exactly was patched

      leaving admins in the dark.<br><br>I can't see how you can put that into question. It is a fact, there's no way for you to get around that.

      Besides, Microsoft??????s policy on these fixes is that it doesn??????t disclose them as part of the monthly disclosure list. With a policy like that in place I wish you good luck when trying to reach Microsoft for comment.
      OS Reload
      • I guess you don't live in a country where unbiased journalism is valued

        @OS Reload

        Once again, look atw hat I wrote. I was not questioning the varacity of the report. I was questioning the journalistic integrity of the blogger. Maybe you live in a country (US???) where integrity in reporting is now so foreign a concept that you are shocked by the suggestion.
        easson
      • @easson

        I'm not sure if this will show up right since ZDNet is so broken now (it wouldn't even let me reply to your comment, so I had to reply to OS Reload's instead, even though I am not even talking to him, and it opened two duplicate forms to write in.. I guess I use this first one?).

        If it [i]does[/i], I'd just like to ask you; what country [i]is[/i] unbiased journalism valued in?
        AzuMao
    • RE: Microsoft "silently" patches vulnerabilities, leaves admins in the dark

      @easson

      This is an opinion piece on the findings of a report issued by another company - if Microsoft wanted to comment on it, they could issue a press release in response to the report but not to the authors opinion on the report.
      katbdesign
    • Checking the accuracy of the report with Microsoft first?

      @easson
      Are you serious? Microsoft doesn??????t want this information made public. It will prove their software is no better than other software, and cast doubts on the metric that is used to gauge software quality these days; the amount of patches that are applied. Microsoft is actively putting its public image, ahead of public interests. The spin doctors at Microsoft would say it is simply not true, and start a F.U.D campaign against the company that reported the finding.
      Rick_K
  • Calling George Ou

    "Now, we??????ve known for some time that Microsoft doesn??????t disclose vulnerabilities it discovers..."

    Really, you wouldn't know that from the superficial vulnerability analysis we've been subjected to here on ZDNet by particular authors.

    Advisories should, of course, disclose all information. In the *nix world we use such information to determine what patches are required and how urgently.

    It's probably not as important for the MSCE, who's skill-set relies on frantic clicking & rebooting, but I'm sure there is at least a couple of windows servers looked after by professionals;-)
    Richard Flude
  • Only with Microsoft would patching extra vulnerabilities be viewed as...

    ...a negative.
    ye