Security firm Core Security Technologies has pulled up Microsoft on its practice of silently patching as it doesn’t give system administrators the information they require to keep their systems safe.
These two patches contains a total of three “silent” fixes, fixes for bugs that Microsoft has uncovered internally. Microsoft’s policy on these fixes is that it doesn’t disclose them as part of the monthly disclosure list. But in this case, the practice means that the seriousness of the update is underestimated by Microsoft.
Take MS10-014. The disclosure claims that this update patches a DoS (Denial of Service) vulnerability. However, Core Security Technologies uncovered two, more serious bug fixes.
While researching the fixes issued by Microsoft in Microsoft’s Security Bulletin MS10-024 published April 13, 2010 Nicolás Economou discovered two vulnerabilities in Windows SMTP Service and Microsoft Exchange . These vulnerabilities were fixed by the patches referenced in MS10-024 but were not disclosed in the vendor’s security bulletin and did not have an unique vulnerability identifier assigned to them. As a result, the guidance and the assessment of risk derived from reading the vendor’s security bulletin may overlook or missrepresent actual threat scenarios.
An attacker may leverage the two previouly undisclosed vulnerabilities fixed by MS10-014 to spoof responses to any DNS query sent by the Windows SMTP service trivially. DNS response spoofing and cache poisoning attacks are well known to have a variety of security implications with impact beyond just Denial of Service and Information Disclosure as originally stated in MS10-024.
As a result the importance of deploying MS10-024 patches may be miss-represented in the vendor’s security bulletin. Organizations using vulnerable packages should consider re-assessing patch deployment priorities in view of the additional information provided in this advisory.
Now, we’ve known for some time that Microsoft doesn’t disclose vulnerabilities it discovers, but this is the first time that we’ve seen first-hand how not disclosing all the vulnerabilities fixed by patches can skew the seriousness of the patch itself. In the example above, MS10-024 is actually a far more important patch that the advisory issued by Microsoft would lead users to believe it is.
Microsoft – Do the right thing and start listing ALL vulnerabilities fixed by a patch!