Security Firm Reveals Microsoft's "Silent" Patches

CWmike writes "Microsoft silently patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without calling out the bugs in the accompanying advisories, a security expert said on Thursday. Two of the three unannounced vulnerabilities, and the most serious of the trio, were packaged with MS10-024, an update to Exchange and Windows SMTP Service that Microsoft issued April 13 and tagged as 'important,' its second-highest threat ranking. Ivan Arce, CTO of Core Security Technologies, said Microsoft patched the bugs, but failed to disclose that it had done so — which could pose a problem. 'They're more important than the [two vulnerabilities] that Microsoft did disclose,' said Arce. 'That means [system] administrators may end up making the wrong decisions about applying the update. They need that information to assess the risk.'" "Secret patches are neither new or rare. 'This has been going on for many years and the action in and of itself is not a huge conspiracy," said Andrew Storms, director of security operations at nCircle Security. What is unusual is that Core took Microsoft's silent updates public. Saying that Microsoft 'misrepresented' and 'underestimated' the criticality of MS10-024 because it didn't reveal the two bugs, Core urged company administrators to 'consider re-assessing patch deployment priorities.' Microsoft confirmed this instance and defends the practice, noting that updates can "be destructive to customer environments." But Storms echoed Arce's concern about possible misuse of the practice, which could result in a false sense of security among users."

Microsofts creative stats has been known for ages.

[miffo.swe]

Microsofts very creative way of handling security has been known for a long time. Instead of fixing the bugs they go for the statistics. By downplaying any security issue until openly proven wrong and rate vulnerabilities as low as possible the statistics look much better.

Another smart move was UAC that puts all the blame on the user but doesnt fix the underlying security issues.

Comparing only Windows to Linux + All applications is also very deceptive, especially with the practices above in mind.

The sad thing is, it works. People tend to think Microsoft has improved their security when infact Windows 7 in many cases are worse than than its predecessor. If you lie enough times with a straight face stupid cheep will think its true.