Security Firm Reveals Microsoft's "Silent" Patches 84
CWmike writes "Microsoft silently patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without calling out the bugs in the accompanying advisories, a security expert said on Thursday. Two of the three unannounced vulnerabilities, and the most serious of the trio, were packaged with MS10-024, an update to Exchange and Windows SMTP Service that Microsoft issued April 13 and tagged as 'important,' its second-highest threat ranking. Ivan Arce, CTO of Core Security Technologies, said Microsoft patched the bugs, but failed to disclose that it had done so — which could pose a problem. 'They're more important than the [two vulnerabilities] that Microsoft did disclose,' said Arce. 'That means [system] administrators may end up making the wrong decisions about applying the update. They need that information to assess the risk.'"
"Secret patches are neither new or rare. 'This has been going on for many years and the action in and of itself is not a huge conspiracy," said Andrew Storms, director of security operations at nCircle Security. What is unusual is that Core took Microsoft's silent updates public. Saying that Microsoft 'misrepresented' and 'underestimated' the criticality of MS10-024 because it didn't reveal the two bugs, Core urged company administrators to 'consider re-assessing patch deployment priorities.' Microsoft confirmed this instance and defends the practice, noting that updates can "be destructive to customer environments." But Storms echoed Arce's concern about possible misuse of the practice, which could result in a false sense of security among users."
"Silent..." (Score:4, Funny)
Phwew, back to status quo... (Score:5, Funny)
Phwew! Thank you Microsoft. Just yesterday I posted that I usually find a reason to hate Microsoft each day, but yesterday I loved the new Office 10. Thanks for bringing me back to my comfortable place.
http://slashdot.org/comments.pl?sid=1641038&cid=32102920&art_pos=1 [slashdot.org]
Re:Tru Dat (Score:4, Funny)
yeah, but McAfee is disruptive/destructive by default. Are you sure that's a fair example?
How appropriate (Score:5, Funny)
Ivan Arce
I've an arse too, but I don't feel the need to point it out to everyone..
Dr. Egon Spengler, Microsoft Chief Securiy Officer (Score:5, Funny)
Dr. Egon Spengler: There's something very important we forgot to tell you.
Ivan Arce: What?
ES: Advise your clients to install security update MS10-024.
IA: Why? What would happen if they didn't?
ES: It would be bad.
IA: I'm fuzzy on the whole good/bad thing. What do you mean, "bad"?
ES: Try to image all their Exchange servers locking up all at once and all their mail traffic being rerouted to parts unknown, effectively bringing about the end of your client's existence as a functioning company.
Dr. Ray Stantz: Total packet reversal!
IA: Right. That's bad. Okay. All right. Important safety tip. Thanks, Egon.
.
Re:How appropriate (Score:3, Funny)
It's probably just as well that they didn't mention his sister, Imma.