Security firm Core Security Technologies has pulled up Microsoft
on its practice of silently patching as it doesn’t give system
administrators the information they require to keep their systems safe.
These two patches contains a total of three “silent” fixes, fixes for
bugs that Microsoft has uncovered internally. Microsoft’s policy on
these fixes is that it doesn’t disclose them as part of the monthly
disclosure list. But in this case, the practice means that the
seriousness of the update is underestimated by Microsoft.
Take MS10-014. The disclosure claims that this update patches a DoS
(Denial of Service) vulnerability. However, Core Security Technologies
uncovered two, more serious bug fixes.
the fixes issued by Microsoft in Microsoft’s Security Bulletin MS10-024
published April 13, 2010 Nicolás Economou discovered two
vulnerabilities in Windows SMTP Service and Microsoft Exchange . These
vulnerabilities were fixed by the patches referenced in MS10-024 but
were not disclosed in the vendor’s security bulletin and did not have an
unique vulnerability identifier assigned to them. As a result, the
guidance and the assessment of risk derived from reading the vendor’s
security bulletin may overlook or missrepresent actual threat scenarios.
An attacker may leverage the two previouly undisclosed
vulnerabilities fixed by MS10-014 to spoof responses to any DNS query
sent by the Windows SMTP service trivially. DNS response spoofing and
cache poisoning attacks are well known to have a variety of security
implications with impact beyond just Denial of Service and Information
Disclosure as originally stated in MS10-024.
As a result the importance of deploying MS10-024 patches may be
miss-represented in the vendor’s security bulletin. Organizations using
vulnerable packages should consider re-assessing patch deployment
priorities in view of the additional information provided in this
Now, we’ve known for some time that Microsoft doesn’t disclose
vulnerabilities it discovers, but this is the first time that we’ve seen
first-hand how not disclosing all the vulnerabilities fixed by patches
can skew the seriousness of the patch itself. In the example above,
MS10-024 is actually a far more important patch that the advisory issued
by Microsoft would lead users to believe it is.
Microsoft – Do the right thing and start listing
ALL vulnerabilities fixed by a patch!