Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Firm Reveals Microsoft's "Silent" Patches

Posted by timothy on from the when-md5-sums-won't-help dept.

CWmike writes "Microsoft silently patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without calling out the bugs in the accompanying advisories, a security expert said on Thursday. Two of the three unannounced vulnerabilities, and the most serious of the trio, were packaged with MS10-024, an update to Exchange and Windows SMTP Service that Microsoft issued April 13 and tagged as 'important,' its second-highest threat ranking. Ivan Arce, CTO of Core Security Technologies, said Microsoft patched the bugs, but failed to disclose that it had done so — which could pose a problem. 'They're more important than the [two vulnerabilities] that Microsoft did disclose,' said Arce. 'That means [system] administrators may end up making the wrong decisions about applying the update. They need that information to assess the risk.'" "Secret patches are neither new or rare. 'This has been going on for many years and the action in and of itself is not a huge conspiracy," said Andrew Storms, director of security operations at nCircle Security. What is unusual is that Core took Microsoft's silent updates public. Saying that Microsoft 'misrepresented' and 'underestimated' the criticality of MS10-024 because it didn't reveal the two bugs, Core urged company administrators to 'consider re-assessing patch deployment priorities.' Microsoft confirmed this instance and defends the practice, noting that updates can "be destructive to customer environments." But Storms echoed Arce's concern about possible misuse of the practice, which could result in a false sense of security among users."

16 of 84 comments (clear)

  1. "Silent..." by gyrogeerloose · · Score: 3, Funny

    ...but deadly.

    --
    This ain't rocket surgery.
  2. Tru Dat by MrTripps · · Score: 2, Informative

    Updates can be destructive to customer environments. Just ask anyone who uses McAfee.

    --
    "I'm not a quack, I'm a mad scientist! There's a difference." - Dr. Cockroach
    1. Re:Tru Dat by bsDaemon · · Score: 3, Funny

      yeah, but McAfee is disruptive/destructive by default. Are you sure that's a fair example?

  3. sneaky bastards! by Anonymous Coward · · Score: 3, Insightful

    they should tell us about everything they're doing. they can do/undo bugs and we'd never know it.

  4. How so? by khasim · · Score: 3, Interesting

    Saying that Microsoft 'misrepresented' and 'underestimated' the criticality of MS10-024 because it didn't reveal the two bugs, Core urged company administrators to 'consider re-assessing patch deployment priorities.

    How so? If it is a patch, it needs to go through your testing process for deployment.

    1. Re:How so? by h4rr4r · · Score: 4, Insightful

      Because the level of the threat may determine how long that testing process is, and such. You may be willing to take more risk from the patch if the issue it cures is very important.

    2. Re:How so? by Todd+Knarr · · Score: 2, Informative

      Because what's in the patch determines the priority for testing/QA. If the patch apparently only addresses low-risk vulnerabilities or ones we've got other mitigation in place for, we may decide to give that patch a low priority and not test and deploy it quickly. If the patch's description doesn't disclose that the patch also addresses a severe high-risk vulnerability that we have no mitigation in place for, then we've given the deployment the wrong priority and don't know that we have. The end result won't be pretty.

  5. Phwew, back to status quo... by hoggoth · · Score: 5, Funny

    Phwew! Thank you Microsoft. Just yesterday I posted that I usually find a reason to hate Microsoft each day, but yesterday I loved the new Office 10. Thanks for bringing me back to my comfortable place.

    http://slashdot.org/comments.pl?sid=1641038&cid=32102920&art_pos=1

    --
    - For the complete works of Shakespeare: cat /dev/random (may take some time)
  6. Nobody ever got fired for lying by Aighearach · · Score: 5, Insightful

    they've got to keep those great security stats they publish about themselves somehow, right?

  7. How appropriate by somersault · · Score: 4, Funny

    Ivan Arce

    I've an arse too, but I don't feel the need to point it out to everyone..

    --
    which is totally what she said
    1. Re:How appropriate by Cro+Magnon · · Score: 2, Funny

      It's probably just as well that they didn't mention his sister, Imma.

      --
      Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
  8. Apply all critical patches regardless of platform by kervin · · Score: 5, Insightful

    All vulnerabilities and patch side effects should be described, so I'm not defending the practice,. But until a system administrator has the full source code of the system and is willing and capable of auditing it, they should apply all critical patches.

    Regardless of the operating system.

  9. Re:Apply all critical patches regardless of platfo by petermgreen · · Score: 2, Informative

    According to the article some of these patches were only marked as important not critical.

    --
    note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
  10. You're looking at this the wrong way by spun · · Score: 3, Informative

    Microsoft was not fixing a bug, it was removing a remote access feature. They didn't mention it because they didn't want people to complain that this valuable functionality was being removed.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  11. Dr. Egon Spengler, Microsoft Chief Securiy Officer by RevWaldo · · Score: 5, Funny

    (on conference call)

    Dr. Egon Spengler: There's something very important we forgot to tell you.
    Ivan Arce: What?
    ES: Advise your clients to install security update MS10-024.
    IA: Why? What would happen if they didn't?
    ES: It would be bad.
    IA: I'm fuzzy on the whole good/bad thing. What do you mean, "bad"?
    ES: Try to image all their Exchange servers locking up all at once and all their mail traffic being rerouted to parts unknown, effectively bringing about the end of your client's existence as a functioning company.
    Dr. Ray Stantz: Total packet reversal!
    IA: Right. That's bad. Okay. All right. Important safety tip. Thanks, Egon.

    .

    --
    Prisencolinensinainciusol. Ol Rait!
  12. administrators... wrong decisions by Culture20 · · Score: 3, Insightful

    administrators may end up making the wrong decisions about applying the update.

    Decision? Automatically apply updates and reboot? Check.
    One year later: BREAK
    Well, that's Microsoft, Boss. Whatada gonna do? Sure I'll come in for overtime; you buying pizza? I want Hawaiian.