Security Firm Reveals Microsoft's "Silent" Patches

CWmike writes "Microsoft silently patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without calling out the bugs in the accompanying advisories, a security expert said on Thursday. Two of the three unannounced vulnerabilities, and the most serious of the trio, were packaged with MS10-024, an update to Exchange and Windows SMTP Service that Microsoft issued April 13 and tagged as 'important,' its second-highest threat ranking. Ivan Arce, CTO of Core Security Technologies, said Microsoft patched the bugs, but failed to disclose that it had done so — which could pose a problem. 'They're more important than the [two vulnerabilities] that Microsoft did disclose,' said Arce. 'That means [system] administrators may end up making the wrong decisions about applying the update. They need that information to assess the risk.'"

"Secret patches are neither new or rare. 'This has been going on for many years and the action in and of itself is not a huge conspiracy," said Andrew Storms, director of security operations at nCircle Security. What is unusual is that Core took Microsoft's silent updates public. Saying that Microsoft 'misrepresented' and 'underestimated' the criticality of MS10-024 because it didn't reveal the two bugs, Core urged company administrators to 'consider re-assessing patch deployment priorities.' Microsoft confirmed this instance and defends the practice, noting that updates can "be destructive to customer environments." But Storms echoed Arce's concern about possible misuse of the practice, which could result in a false sense of security among users."

"Silent..."

[gyrogeerloose]

...but deadly.

How appropriate

[somersault]

Ivan Arce

I've an arse too, but I don't feel the need to point it out to everyone..

Re:

[gyrogeerloose]

Ivan Arce

I've an arse too, but I don't feel the need to point it out to everyone..

You know, I'm embarrassed to admit it but I missed that entirely. Good catch.

Re:

[Cro Magnon]

It's probably just as well that they didn't mention his sister, Imma.

Re:

[PotatoFiend]

He has a wife, you know. You know what she's called? She's called... Incontinentia.

Re:

[PotatoFiend]

You're hilarious, using a tragic disorder as a karma-farming / /.-respect-gaining "joke."

You're serious, there's someone on /. who doesn't recognize a Monty Python reference?

Re:

[vegiVamp]

It appears that you would be very surprised indeed about the number of noobs on here. Note the "eternal" part about "eternal september" ? It's not a joke.

You're looking at this the wrong way

[spun]

Microsoft was not fixing a bug, it was removing a remote access feature. They didn't mention it because they didn't want people to complain that this valuable functionality was being removed.

Re:

[vegiVamp]

Maybe Sony should've tried that, too.

Re:

[drinkypoo]

Maybe Sony should've tried that, too.

You jest, but actually, simply breaking the 'Other OS' feature and never fixing it would have made them look merely incompetent, which they've been through time and time again (remember Minidisc? The market sure doesn't.) But this makes them look Evil (which of course they are) which is a little harder to forget. I'll give incompetents another chance — I keep buying ATI video cards in between every couple nVidia cards, for example. But the truly evil? That's a little tougher. With that said, I have a

Tru Dat

[MrTripps]

Updates can be destructive to customer environments. Just ask anyone who uses McAfee.

Re:Tru Dat

[bsDaemon]

yeah, but McAfee is disruptive/destructive by default. Are you sure that's a fair example?

Re:

[guruevi]

Yes because so is Microsoft.

sneaky bastards!

[Anonymous Coward]

they should tell us about everything they're doing. they can do/undo bugs and we'd never know it.

How so?

[khasim]

Saying that Microsoft 'misrepresented' and 'underestimated' the criticality of MS10-024 because it didn't reveal the two bugs, Core urged company administrators to 'consider re-assessing patch deployment priorities.

How so? If it is a patch, it needs to go through your testing process for deployment.

Re:How so?

[h4rr4r]

Because the level of the threat may determine how long that testing process is, and such. You may be willing to take more risk from the patch if the issue it cures is very important.

Re:

[timeOday]

Or you can go the other way: cloud computing. Nobody expects google to publicise every security patch they make to the gmail servers. Instead of admins at every company in the world trying to independently evaluate every patch, you trust google to do it correctly.

Re:

[h4rr4r]

Which means when they don't everyone suffers, and you get to pay forever.

Both have tradeoffs.

Re:

[vegiVamp]

Maybe that's because we're a) not paying for b) using their software and machines.

When Google delivers a free service, I can't much complain when they do updates without telling me. If I pay for their services, I expect there to be SLAs and for them to apply patches non-disruptively and without breaking contract.

If I BUY software from Microsoft, run it on my own hardware, pay for their support and have to do the patching myself, I feel they have an obligation to tell me what a patch does in order for me to

Re:

[Bearhouse]

Mod up. Beat me to it.
A competent admin, (and if you're running a 'mission critical Exchange server', you'd better be) will be all over this...
Of course, patched or not, Exchange is still a steaming pile IMHO

Re:

[Bearhouse]

BTW, is that the wind or the car?
(Had one of the cars back in the 80s; amazing, but you needed to be either rich or a great mechanic)

Re:

[Tubal-Cain]

Because if the patch only says that it corrects a typo in a description somewhere, a good admin will probably not be in a hurry to deploy it. If it closes a bug that allows root access because someone logs in with the username "Joshua", the admin might be more eager to test and apply the patch ASAP.

Re:

[Todd Knarr]

Because what's in the patch determines the priority for testing/QA. If the patch apparently only addresses low-risk vulnerabilities or ones we've got other mitigation in place for, we may decide to give that patch a low priority and not test and deploy it quickly. If the patch's description doesn't disclose that the patch also addresses a severe high-risk vulnerability that we have no mitigation in place for, then we've given the deployment the wrong priority and don't know that we have. The end result won'

Re:

[sortius_nod]

There's also the effort in getting the patch to play nice. I know if there are mitigations elsewhere for vulnerabilities that most companies won't bother putting much effort into getting it to work, which usually ends up with the patch being canned. If the patch fixes a major vulnerability, more resources are deployed due to the higher priority and/or nature of the bug. If there is no bug/patch information and I'm not able to prioritise, well, you pretty much said it - not pretty. I've yet to come across an

Re:

[jim_v2000]

You realize that this article is all about some security firm that thinks the patched problems were more important than Microsoft did, right? They think the updates should have been marked "Critical", while Microsoft thinks they were "Important". I'd go with MS on this one instead of some attention whoring security firm.

Phwew, back to status quo...

[hoggoth]

Phwew! Thank you Microsoft. Just yesterday I posted that I usually find a reason to hate Microsoft each day, but yesterday I loved the new Office 10. Thanks for bringing me back to my comfortable place.

http://slashdot.org/comments.pl?sid=1641038&cid=32102920&art_pos=1 [slashdot.org]

Re:

[huckamania]

You hate them because they patched a bug in their software? Something might be wrong with your hardware.

Re:

[hoggoth]

I hate them because they silently make changes to MY computer without my permission or knowledge.
They are sneaky and untrustworthy.

Why couldn't they just list these patches along with the ones they DID disclose?

It fits right in with the entire design of their operating systems. Hide information from the owner, "for their own good."
Time and time again I spend hours or days struggling with problems whos root comes down to Microsoft thought I shouldn't know what is really happening inside my computer.
Well, not

Re:

[jim_v2000]

This is such a non-story. MS found a few bugs that they patched and this security company happens to think that they were more critical than Microsoft did.

Re:

[cant_get_a_good_nick]

META POST:
RE: your signature
that's a great song, odd to say that the lyrics are better than santana in it (and i love santana)

Most people don't know, everlast didn't start in house of pain, but was solo before it. He was a sorta gangsta-rapper from Ice-T's Rhyme Syndicate

Nobody ever got fired for lying

[Aighearach]

they've got to keep those great security stats they publish about themselves somehow, right?

Quote.

[Mekkah]

"Secret patches are neither new or rare. "This has been going on for many years and the action in and of itself is not a huge conspiracy," said Andrew Storms, director of security operations at nCircle Security."

What is unusual is that Core took Microsoft's silent updates public.

Not that this should go on anyway, but don't go thinking this is a rare instance and they are stealing your milk money, it happens enough to be of some sort a standard business practice.

Re:

[V!NCENT]

"You will NEVER be happy with anything Microsoft does."
I know. I figured it wasn't realy my thing, so I jumped onto a different OS bandwagon and absolutelt love it!

Re:

[V!NCENT]

You must be mistaking me for a Mac user, coward.

Re:

[X0563511]

I would be quite happy if Microsoft were to die a horrible death involving fire.

Re:

[V!NCENT]

That explosion would be kinda deadly... You know... flying chairs and all...

Re:

[X0563511]

Hmm... so Seattle is sitting on a ticking fuel-chair bomb eh?

Apply all critical patches regardless of platform

[kervin]

All vulnerabilities and patch side effects should be described, so I'm not defending the practice,. But until a system administrator has the full source code of the system and is willing and capable of auditing it, they should apply all critical patches.

Regardless of the operating system.

Re:

[petermgreen]

According to the article some of these patches were only marked as important not critical.

Re:

[jonwil]

Anything that fixes security issues or appears under "high priority" in Windows Update is considered critical by me.

There is a bigger risk to consider...

[erroneus]

... themselves!

Microsoft doesn't need additional bad press. The more bad press they can prevent, the better...for them anyway.

Unsurprising

[Todd Knarr]

No surprise here. Sysadmins need to know exactly what bugs are being fixed in each patch so they can decide on appropriate priorities for deployment. However, vendors need to not disclose exactly what bugs are being fixed in each patch to minimize the damage to their reputations that comes from large numbers of major bugs or having to fix the same bug over and over and over. And since the vendors get to control the patch descriptions, guess who gets their way.

This is one reason I favor full disclosure of se

Re:

[cortesoft]

I agree, and would never argue that vendors should hide bugs they find or bugs they fix.

HOWEVER, require all bug fixes be fully publicly disclosed could create some perverse incentives to not patch a bug. If they feel that not many people know about it, it may seem advantageous to a short sighted vendor to just hide the bug and pretend it doesn't exist, since fixing it requires disclosing its existence.

This is a horrible thing of course, but I don't think a vendor being this short sighted would be shocking

Re:

[Todd Knarr]

Full disclosure of vulnerabilities typically isn't done by the vendor, it's done by the party finding the vulnerability. If the vendor's the first one to find the problem they can, of course, always not say anything about it, but then they've got to fix it before anybody else finds it.

Re:

[jim_v2000]

>Sysadmins need to know exactly what bugs are being fixed in each patch so they can decide on appropriate priorities for deployment.

If it's a security update, you apply it. If you don't, and you get owned, it's your fault.

Re:

[V!NCENT]

Money

Dr. Egon Spengler, Microsoft Chief Securiy Officer

[RevWaldo]

(on conference call)

Dr. Egon Spengler: There's something very important we forgot to tell you.
Ivan Arce: What?
ES: Advise your clients to install security update MS10-024.
IA: Why? What would happen if they didn't?
ES: It would be bad.
IA: I'm fuzzy on the whole good/bad thing. What do you mean, "bad"?
ES: Try to image all their Exchange servers locking up all at once and all their mail traffic being rerouted to parts unknown, effectively bringing about the end of your client's existence as a functioning company.
Dr. Ray Stantz: Total packet reversal!
IA: Right. That's bad. Okay. All right. Important safety tip. Thanks, Egon.

.

administrators... wrong decisions

[Culture20]

administrators may end up making the wrong decisions about applying the update.

Decision? Automatically apply updates and reboot? Check.
One year later: BREAK
Well, that's Microsoft, Boss. Whatada gonna do? Sure I'll come in for overtime; you buying pizza? I want Hawaiian.

Makes you wonder...

[xlsior]

...how much the numbers are actually mis-represented in side-by-side vulnerability comparisions between the various platforms (windows/linux, etc.), if there's a bunch of them that being swept under the carpet.

Re:

[V!NCENT]

Side-by-side vulnerability comparisions are bullshit to begin with.

Anyone with a brain larger than a peanut will have noticed that software is created by humans and that there has always been security vulnerabilities in any OS, including remote exploits in OpenBSD, which is basically as secure as an OS can get from a human creation policy perspective.

The point is what security measures are there to prevent such bugs from becoming a remote security hole?
Windows means anti-malware, but this is after the effec

More important

[MC68040]

"[...]they're more important than the [two vulnerabilities] that Microsoft did disclose,' said Arce. 'That means [system] administrators may end up making the wrong decisions about applying the update."

Right, there's been a fair few times where I've not applied security patches "right away" for simple reasons; like they did not affect the way my system was set up.
But in the end I am hoping "[...]end up making the wrong decisions about applying the update" is talking about a time aspect rather than if-at-all

Re:

[twidarkling]

You're a moron. I can tell by your use of words like "cheep."

So, explain how UAC differs significantly from OS X's requesting you input username and password each time it wants to update, or do other tasks, or in *nix, when it asks for temporary root access to install things? Or are those also just ways to put it on the user and not fix security issues?

Re:

[mysidia]

A key difference is Mac OS input for Administrative credentials and *nix sudo (which are the same thing), MacOS prompt for an Admin login is essentially a graphical sudo ------

Is that in those OSes, the elevation is a true security boundary respected by the underlying kernel, and actual user credentials are required to defeat it.

Whereas with UAC, the 'security boundary' is a soft, artficial one that is easily defeated through various techniques.

Also, the UAC prompts are required for many routine op

Re:

[Kalriath]

In Windows 7, many of those operations no longer require UAC approval - regardless of the fact that they impact the system (i.e. changing the loaded driver for hardware without installing new hardware to do it) - just like Mac OS X.

UAC can also be configured to require the user's credentials to elevate, even when logged in as an admin.

Also, UAC is indeed a boundary at the lowest level, hence the requirement to bloody reboot when you change it (can you tell I hate rebooting).

But hey, don't let facts get in t

Re:

[mysidia]

Also, UAC is indeed a boundary at the lowest level, hence the requirement to bloody reboot when you change it (can you tell I hate rebooting).

Nonsense. If the user is an administrator, UAC is not a security boundary. See here [msdn.com]:

Security Boundary: this is a special term to Microsoft. It means that if someone discloses a way to violate a Microsoft-defined security boundary, that Microsoft will release a security patch as soon as possible, so that the method to violate the boundary no longer works against

Re:

[Kalriath]

You can actually configure UAC so you don't have the token, you know. Require password every time you try to elevate.

Anyway, if you say that UAC is not a boundary (you'll note I didn't specify which user type you elevate from) then neither is sudo or Mac OS X elevation.

Re:

[mysidia]

I'm talking about default configurations here, it's not worth it to dicuss imaginary high-security configurations that real users never apply to their systems in real life.

Repeat after me: If it is not secure by default, then it is not secure.

When Microsoft makes the default that the user does not possess the second token, and a password is required, then we can refer to UAC as a security boundary.

This invalidates studies of Windows security

[mysidia]

A claim researchers have sometimes made is that Windows has fewer critical security issues.

That this has come to light raises even more doubt about the validity of such studies.

This is a demonstration that Microsoft sometimes hides critical security bugs, and doesn't release advisories, even when they have been reported.

This is Prima Facie evidence that Microsoft closed-source software probably has many critical security vulnerabilities that were never publicized such, and were instead kept secret, a

Re:

[Ol Olsoc]

And this is new somehow?

Dunno if its related, but a recent update killed my computer at home. So between silent updates, updates that make your computer secure by making it non-functional, it's just more of the same from our friends at Redmond

Re:

[mysidia]

I don't think it's new, but you see... this is tangible credible evidence that can be cited. Much better than anecdotes from individuals about MS practices.

It's very rare that MS silently patches something or pretends an issue doesn't exist, and the industry and major publications actually acknowledge that it happened.

Re:

[jim_v2000]

Read the article before you go spouting off about Microsoft.

>The truth is that it's business as usual for not just Microsoft, but for most software makers, said Storms. "Vendors commonly find bugs themselves in released code and will distribute the fixes inside a bundle of other patches," he noted. "Many times there simply is no benefit to anyone to disclose the bug."

Re:

[mysidia]

"Many times there simply is no benefit to anyone to disclose the bug."

This is sure and utter nonsense.

• Failing to publicize the more critical issue means fewer people will apply the patch -- less pressure to apply the patch
• Sometimes higher-priority vulnerabilities are applied, and lower-priorities are not.
• Often IT professionals will review the specific security advisory in question, and run the patch early only if the advised security issue impacts their setup; more general patching of issues that d

Re:

[jim_v2000]

These weren't released as anonymous patches, they were bundled with other security updates. If you don't think you need to install security patch marked as "important", you should look into a career other than IT.

Re:

[mysidia]

Time for you to get out of IT, if you think you need to blindly apply every patch marked important, that is an extreme waste.

It doesn't matter what the rating is, if the patch isn't for an issue that effects you, it is not worth the cost in terms of downtime risk and overhead to apply that patch.

Doubly so for non-critical rated issues.

For every patch, you read the security advisories in detail, and determine whether to implement the patch, or design a workaround to prevent the issue from being exploi

trust?

[mrdtr]

So basically if you can't trust MS with be truthful and upfront about security updates, what can you trust them with?