Forgot your password?
typodupeerror
Security Microsoft Upgrades Windows IT

Security Firm Reveals Microsoft's "Silent" Patches 84

Posted by timothy
from the when-md5-sums-won't-help dept.
CWmike writes "Microsoft silently patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without calling out the bugs in the accompanying advisories, a security expert said on Thursday. Two of the three unannounced vulnerabilities, and the most serious of the trio, were packaged with MS10-024, an update to Exchange and Windows SMTP Service that Microsoft issued April 13 and tagged as 'important,' its second-highest threat ranking. Ivan Arce, CTO of Core Security Technologies, said Microsoft patched the bugs, but failed to disclose that it had done so — which could pose a problem. 'They're more important than the [two vulnerabilities] that Microsoft did disclose,' said Arce. 'That means [system] administrators may end up making the wrong decisions about applying the update. They need that information to assess the risk.'"
"Secret patches are neither new or rare. 'This has been going on for many years and the action in and of itself is not a huge conspiracy," said Andrew Storms, director of security operations at nCircle Security. What is unusual is that Core took Microsoft's silent updates public. Saying that Microsoft 'misrepresented' and 'underestimated' the criticality of MS10-024 because it didn't reveal the two bugs, Core urged company administrators to 'consider re-assessing patch deployment priorities.' Microsoft confirmed this instance and defends the practice, noting that updates can "be destructive to customer environments." But Storms echoed Arce's concern about possible misuse of the practice, which could result in a false sense of security among users."
This discussion has been archived. No new comments can be posted.

Security Firm Reveals Microsoft's "Silent" Patches

Comments Filter:
  • "Silent..." (Score:4, Funny)

    by gyrogeerloose (849181) on Thursday May 06, 2010 @03:24PM (#32115806) Journal
    ...but deadly.
    • by somersault (912633) on Thursday May 06, 2010 @03:33PM (#32115940) Homepage Journal

      Ivan Arce

      I've an arse too, but I don't feel the need to point it out to everyone..

      • Ivan Arce

        I've an arse too, but I don't feel the need to point it out to everyone..

        You know, I'm embarrassed to admit it but I missed that entirely. Good catch.

      • Re: (Score:3, Funny)

        by Cro Magnon (467622)

        It's probably just as well that they didn't mention his sister, Imma.

        • He has a wife, you know. You know what she's called? She's called... Incontinentia.
  • Tru Dat (Score:2, Informative)

    by MrTripps (1306469)
    Updates can be destructive to customer environments. Just ask anyone who uses McAfee.
  • sneaky bastards! (Score:3, Insightful)

    by Anonymous Coward on Thursday May 06, 2010 @03:27PM (#32115846)

    they should tell us about everything they're doing. they can do/undo bugs and we'd never know it.

  • How so? (Score:4, Interesting)

    by khasim (1285) <brandioch.conner@gmail.com> on Thursday May 06, 2010 @03:28PM (#32115864)

    Saying that Microsoft 'misrepresented' and 'underestimated' the criticality of MS10-024 because it didn't reveal the two bugs, Core urged company administrators to 'consider re-assessing patch deployment priorities.

    How so? If it is a patch, it needs to go through your testing process for deployment.

    • Re:How so? (Score:5, Insightful)

      by h4rr4r (612664) on Thursday May 06, 2010 @03:34PM (#32115952)

      Because the level of the threat may determine how long that testing process is, and such. You may be willing to take more risk from the patch if the issue it cures is very important.

      • by timeOday (582209)
        Or you can go the other way: cloud computing. Nobody expects google to publicise every security patch they make to the gmail servers. Instead of admins at every company in the world trying to independently evaluate every patch, you trust google to do it correctly.
        • by h4rr4r (612664)

          Which means when they don't everyone suffers, and you get to pay forever.

          Both have tradeoffs.

        • by vegiVamp (518171)
          Maybe that's because we're a) not paying for b) using their software and machines.

          When Google delivers a free service, I can't much complain when they do updates without telling me. If I pay for their services, I expect there to be SLAs and for them to apply patches non-disruptively and without breaking contract.

          If I BUY software from Microsoft, run it on my own hardware, pay for their support and have to do the patching myself, I feel they have an obligation to tell me what a patch does in order for me to
    • Mod up. Beat me to it.
      A competent admin, (and if you're running a 'mission critical Exchange server', you'd better be) will be all over this...
      Of course, patched or not, Exchange is still a steaming pile IMHO

    • Re: (Score:1, Offtopic)

      by Bearhouse (1034238)

      BTW, is that the wind or the car?
      (Had one of the cars back in the 80s; amazing, but you needed to be either rich or a great mechanic)

    • Because if the patch only says that it corrects a typo in a description somewhere, a good admin will probably not be in a hurry to deploy it. If it closes a bug that allows root access because someone logs in with the username "Joshua", the admin might be more eager to test and apply the patch ASAP.
    • Re: (Score:3, Informative)

      by Todd Knarr (15451)

      Because what's in the patch determines the priority for testing/QA. If the patch apparently only addresses low-risk vulnerabilities or ones we've got other mitigation in place for, we may decide to give that patch a low priority and not test and deploy it quickly. If the patch's description doesn't disclose that the patch also addresses a severe high-risk vulnerability that we have no mitigation in place for, then we've given the deployment the wrong priority and don't know that we have. The end result won'

      • There's also the effort in getting the patch to play nice. I know if there are mitigations elsewhere for vulnerabilities that most companies won't bother putting much effort into getting it to work, which usually ends up with the patch being canned. If the patch fixes a major vulnerability, more resources are deployed due to the higher priority and/or nature of the bug. If there is no bug/patch information and I'm not able to prioritise, well, you pretty much said it - not pretty. I've yet to come across an

      • by jim_v2000 (818799)
        You realize that this article is all about some security firm that thinks the patched problems were more important than Microsoft did, right? They think the updates should have been marked "Critical", while Microsoft thinks they were "Important". I'd go with MS on this one instead of some attention whoring security firm.
  • by hoggoth (414195) on Thursday May 06, 2010 @03:28PM (#32115870) Journal

    Phwew! Thank you Microsoft. Just yesterday I posted that I usually find a reason to hate Microsoft each day, but yesterday I loved the new Office 10. Thanks for bringing me back to my comfortable place.

    http://slashdot.org/comments.pl?sid=1641038&cid=32102920&art_pos=1 [slashdot.org]

    • You hate them because they patched a bug in their software? Something might be wrong with your hardware.
      • by hoggoth (414195)

        I hate them because they silently make changes to MY computer without my permission or knowledge.
        They are sneaky and untrustworthy.

        Why couldn't they just list these patches along with the ones they DID disclose?

        It fits right in with the entire design of their operating systems. Hide information from the owner, "for their own good."
        Time and time again I spend hours or days struggling with problems whos root comes down to Microsoft thought I shouldn't know what is really happening inside my computer.
        Well, not

        • by jim_v2000 (818799)
          This is such a non-story. MS found a few bugs that they patched and this security company happens to think that they were more critical than Microsoft did.
    • META POST:
      RE: your signature
      that's a great song, odd to say that the lyrics are better than santana in it (and i love santana)

      Most people don't know, everlast didn't start in house of pain, but was solo before it. He was a sorta gangsta-rapper from Ice-T's Rhyme Syndicate

  • by Aighearach (97333) on Thursday May 06, 2010 @03:32PM (#32115932) Homepage

    they've got to keep those great security stats they publish about themselves somehow, right?

  • "Secret patches are neither new or rare. "This has been going on for many years and the action in and of itself is not a huge conspiracy," said Andrew Storms, director of security operations at nCircle Security."

    What is unusual is that Core took Microsoft's silent updates public.

    Not that this should go on anyway, but don't go thinking this is a rare instance and they are stealing your milk money, it happens enough to be of some sort a standard business practice.

  • by kervin (64171) on Thursday May 06, 2010 @03:40PM (#32116040) Homepage

    All vulnerabilities and patch side effects should be described, so I'm not defending the practice,. But until a system administrator has the full source code of the system and is willing and capable of auditing it, they should apply all critical patches.

    Regardless of the operating system.

    • Re: (Score:3, Informative)

      by petermgreen (876956)

      According to the article some of these patches were only marked as important not critical.

      • by jonwil (467024)

        Anything that fixes security issues or appears under "high priority" in Windows Update is considered critical by me.

  • ... themselves!

    Microsoft doesn't need additional bad press. The more bad press they can prevent, the better...for them anyway.

  • No surprise here. Sysadmins need to know exactly what bugs are being fixed in each patch so they can decide on appropriate priorities for deployment. However, vendors need to not disclose exactly what bugs are being fixed in each patch to minimize the damage to their reputations that comes from large numbers of major bugs or having to fix the same bug over and over and over. And since the vendors get to control the patch descriptions, guess who gets their way.

    This is one reason I favor full disclosure of se

    • I agree, and would never argue that vendors should hide bugs they find or bugs they fix.

      HOWEVER, require all bug fixes be fully publicly disclosed could create some perverse incentives to not patch a bug. If they feel that not many people know about it, it may seem advantageous to a short sighted vendor to just hide the bug and pretend it doesn't exist, since fixing it requires disclosing its existence.

      This is a horrible thing of course, but I don't think a vendor being this short sighted would be shocking

      • by Todd Knarr (15451)

        Full disclosure of vulnerabilities typically isn't done by the vendor, it's done by the party finding the vulnerability. If the vendor's the first one to find the problem they can, of course, always not say anything about it, but then they've got to fix it before anybody else finds it.

    • by jim_v2000 (818799)
      >Sysadmins need to know exactly what bugs are being fixed in each patch so they can decide on appropriate priorities for deployment.

      If it's a security update, you apply it. If you don't, and you get owned, it's your fault.
  • by RevWaldo (1186281) on Thursday May 06, 2010 @03:59PM (#32116354)
    (on conference call)

    Dr. Egon Spengler: There's something very important we forgot to tell you.
    Ivan Arce: What?
    ES: Advise your clients to install security update MS10-024.
    IA: Why? What would happen if they didn't?
    ES: It would be bad.
    IA: I'm fuzzy on the whole good/bad thing. What do you mean, "bad"?
    ES: Try to image all their Exchange servers locking up all at once and all their mail traffic being rerouted to parts unknown, effectively bringing about the end of your client's existence as a functioning company.
    Dr. Ray Stantz: Total packet reversal!
    IA: Right. That's bad. Okay. All right. Important safety tip. Thanks, Egon.

    .
  • by Culture20 (968837) on Thursday May 06, 2010 @04:19PM (#32116670)

    administrators may end up making the wrong decisions about applying the update.

    Decision? Automatically apply updates and reboot? Check.
    One year later: BREAK
    Well, that's Microsoft, Boss. Whatada gonna do? Sure I'll come in for overtime; you buying pizza? I want Hawaiian.

  • ...how much the numbers are actually mis-represented in side-by-side vulnerability comparisions between the various platforms (windows/linux, etc.), if there's a bunch of them that being swept under the carpet.
    • by V!NCENT (1105021)

      Side-by-side vulnerability comparisions are bullshit to begin with.

      Anyone with a brain larger than a peanut will have noticed that software is created by humans and that there has always been security vulnerabilities in any OS, including remote exploits in OpenBSD, which is basically as secure as an OS can get from a human creation policy perspective.

      The point is what security measures are there to prevent such bugs from becoming a remote security hole?
      Windows means anti-malware, but this is after the effec

  • "[...]they're more important than the [two vulnerabilities] that Microsoft did disclose,' said Arce. 'That means [system] administrators may end up making the wrong decisions about applying the update."

    Right, there's been a fair few times where I've not applied security patches "right away" for simple reasons; like they did not affect the way my system was set up.
    But in the end I am hoping "[...]end up making the wrong decisions about applying the update" is talking about a time aspect rather than if-at-all

  • A claim researchers have sometimes made is that Windows has fewer critical security issues.

    That this has come to light raises even more doubt about the validity of such studies.

    This is a demonstration that Microsoft sometimes hides critical security bugs, and doesn't release advisories, even when they have been reported.

    This is Prima Facie evidence that Microsoft closed-source software probably has many critical security vulnerabilities that were never publicized such, and were instead kept secret, a

    • by Ol Olsoc (1175323)
      And this is new somehow?

      Dunno if its related, but a recent update killed my computer at home. So between silent updates, updates that make your computer secure by making it non-functional, it's just more of the same from our friends at Redmond

      • by mysidia (191772)

        I don't think it's new, but you see... this is tangible credible evidence that can be cited. Much better than anecdotes from individuals about MS practices.

        It's very rare that MS silently patches something or pretends an issue doesn't exist, and the industry and major publications actually acknowledge that it happened.

    • by jim_v2000 (818799)
      Read the article before you go spouting off about Microsoft.

      >The truth is that it's business as usual for not just Microsoft, but for most software makers, said Storms. "Vendors commonly find bugs themselves in released code and will distribute the fixes inside a bundle of other patches," he noted. "Many times there simply is no benefit to anyone to disclose the bug."
      • by mysidia (191772)

        "Many times there simply is no benefit to anyone to disclose the bug."

        This is sure and utter nonsense.

        • Failing to publicize the more critical issue means fewer people will apply the patch -- less pressure to apply the patch
        • Sometimes higher-priority vulnerabilities are applied, and lower-priorities are not.
        • Often IT professionals will review the specific security advisory in question, and run the patch early only if the advised security issue impacts their setup; more general patching of issues that d
        • by jim_v2000 (818799)
          These weren't released as anonymous patches, they were bundled with other security updates. If you don't think you need to install security patch marked as "important", you should look into a career other than IT.
          • by mysidia (191772)

            Time for you to get out of IT, if you think you need to blindly apply every patch marked important, that is an extreme waste.

            It doesn't matter what the rating is, if the patch isn't for an issue that effects you, it is not worth the cost in terms of downtime risk and overhead to apply that patch.

            Doubly so for non-critical rated issues.

            For every patch, you read the security advisories in detail, and determine whether to implement the patch, or design a workaround to prevent the issue from being exploi

  • by mrdtr (1343377)

    So basically if you can't trust MS with be truthful and upfront about security updates, what can you trust them with?

Uncompensated overtime? Just Say No.

Working...