The security firm, Core Security Technologies, has gone through Microsoft's monthly Windows patches and found three bugs that were silently patched through other patches. As part of Microsoft's internal policies, they do not disclose bugs that are discovered internally.
According to ZDNet, Core Security Technologies examined Microsoft patch MS10-01,4 which was published as a fixed for a potential Denial of Service vulnerability in Microsoft Exchange and Windows SMTP service, and found that even more serious vulnerabilities were fixed but not disclosed.
While researching the fixes issued by Microsoft in Microsoft’s Security Bulletin MS10-024 published April 13, 2010 Nicolás Economou discovered two vulnerabilities in Windows SMTP Service and Microsoft Exchange . These vulnerabilities were fixed by the patches referenced in MS10-024 but were not disclosed in the vendor’s security bulletin and did not have an unique vulnerability identifier assigned to them. As a result, the guidance and the assessment of risk derived from reading the vendor’s security bulletin may overlook or missrepresent actual threat scenarios.
An attacker may leverage the two previouly undisclosed vulnerabilities fixed by MS10-014 to spoof responses to any DNS query sent by the Windows SMTP service trivially. DNS response spoofing and cache poisoning attacks are well known to have a variety of security implications with impact beyond just Denial of Service and Information Disclosure as originally stated in MS10-024.
As a result the importance of deploying MS10-024 patches may be miss-represented in the vendor’s security bulletin. Organizations using vulnerable packages should consider re-assessing patch deployment priorities in view of the additional information provided in this advisory.
The vulnerability that is listed above is more serious than the one that was disclosed by Microsoft. This should be a reminder to all users to update their machines, to ensure they are update-to-date on the latest security vulnerabilities.
Microsoft rolls out a new batch of patches on the second Tuesday of every month, also known as Patch Tuesday.