Security Firm Reveals Microsoft's "Silent" Patches 84
CWmike writes "Microsoft silently patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without calling out the bugs in the accompanying advisories, a security expert said on Thursday. Two of the three unannounced vulnerabilities, and the most serious of the trio, were packaged with MS10-024, an update to Exchange and Windows SMTP Service that Microsoft issued April 13 and tagged as 'important,' its second-highest threat ranking. Ivan Arce, CTO of Core Security Technologies, said Microsoft patched the bugs, but failed to disclose that it had done so — which could pose a problem. 'They're more important than the [two vulnerabilities] that Microsoft did disclose,' said Arce. 'That means [system] administrators may end up making the wrong decisions about applying the update. They need that information to assess the risk.'"
"Secret patches are neither new or rare. 'This has been going on for many years and the action in and of itself is not a huge conspiracy," said Andrew Storms, director of security operations at nCircle Security. What is unusual is that Core took Microsoft's silent updates public. Saying that Microsoft 'misrepresented' and 'underestimated' the criticality of MS10-024 because it didn't reveal the two bugs, Core urged company administrators to 'consider re-assessing patch deployment priorities.' Microsoft confirmed this instance and defends the practice, noting that updates can "be destructive to customer environments." But Storms echoed Arce's concern about possible misuse of the practice, which could result in a false sense of security among users."
sneaky bastards! (Score:3, Insightful)
they should tell us about everything they're doing. they can do/undo bugs and we'd never know it.
Nobody ever got fired for lying (Score:5, Insightful)
they've got to keep those great security stats they publish about themselves somehow, right?
Re:How so? (Score:5, Insightful)
Because the level of the threat may determine how long that testing process is, and such. You may be willing to take more risk from the patch if the issue it cures is very important.
Apply all critical patches regardless of platform (Score:5, Insightful)
All vulnerabilities and patch side effects should be described, so I'm not defending the practice,. But until a system administrator has the full source code of the system and is willing and capable of auditing it, they should apply all critical patches.
Regardless of the operating system.
administrators... wrong decisions (Score:4, Insightful)
administrators may end up making the wrong decisions about applying the update.
Decision? Automatically apply updates and reboot? Check.
One year later: BREAK
Well, that's Microsoft, Boss. Whatada gonna do? Sure I'll come in for overtime; you buying pizza? I want Hawaiian.