Security Firm Reveals Microsoft's "Silent" Patches 84
CWmike writes "Microsoft silently patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without calling out the bugs in the accompanying advisories, a security expert said on Thursday. Two of the three unannounced vulnerabilities, and the most serious of the trio, were packaged with MS10-024, an update to Exchange and Windows SMTP Service that Microsoft issued April 13 and tagged as 'important,' its second-highest threat ranking. Ivan Arce, CTO of Core Security Technologies, said Microsoft patched the bugs, but failed to disclose that it had done so — which could pose a problem. 'They're more important than the [two vulnerabilities] that Microsoft did disclose,' said Arce. 'That means [system] administrators may end up making the wrong decisions about applying the update. They need that information to assess the risk.'"
"Secret patches are neither new or rare. 'This has been going on for many years and the action in and of itself is not a huge conspiracy," said Andrew Storms, director of security operations at nCircle Security. What is unusual is that Core took Microsoft's silent updates public. Saying that Microsoft 'misrepresented' and 'underestimated' the criticality of MS10-024 because it didn't reveal the two bugs, Core urged company administrators to 'consider re-assessing patch deployment priorities.' Microsoft confirmed this instance and defends the practice, noting that updates can "be destructive to customer environments." But Storms echoed Arce's concern about possible misuse of the practice, which could result in a false sense of security among users."
Tru Dat (Score:2, Informative)
Re:How so? (Score:3, Informative)
Because what's in the patch determines the priority for testing/QA. If the patch apparently only addresses low-risk vulnerabilities or ones we've got other mitigation in place for, we may decide to give that patch a low priority and not test and deploy it quickly. If the patch's description doesn't disclose that the patch also addresses a severe high-risk vulnerability that we have no mitigation in place for, then we've given the deployment the wrong priority and don't know that we have. The end result won't be pretty.
Re:Apply all critical patches regardless of platfo (Score:3, Informative)
According to the article some of these patches were only marked as important not critical.
You're looking at this the wrong way (Score:4, Informative)
Microsoft was not fixing a bug, it was removing a remote access feature. They didn't mention it because they didn't want people to complain that this valuable functionality was being removed.