Microsoft silently patches major vulnerability

The security firm, Core Security Technologies, has gone through Microsoft's monthly Windows patches and found three bugs that were silently patched through other patches. As part of Microsoft's internal policies, they do not disclose bugs that are discovered internally.

According to ZDNet, Core Security Technologies examined Microsoft patch MS10-01,4 which was published as a fixed for a potential Denial of Service vulnerability in Microsoft Exchange and Windows SMTP service, and found that even more serious vulnerabilities were fixed but not disclosed.

While researching the fixes issued by Microsoft in Microsoft’s Security Bulletin MS10-024 published April 13, 2010 Nicolás Economou discovered two vulnerabilities in Windows SMTP Service and Microsoft Exchange . These vulnerabilities were fixed by the patches referenced in MS10-024 but were not disclosed in the vendor’s security bulletin and did not have an unique vulnerability identifier assigned to them. As a result, the guidance and the assessment of risk derived from reading the vendor’s security bulletin may overlook or missrepresent actual threat scenarios.

An attacker may leverage the two previouly undisclosed vulnerabilities fixed by MS10-014 to spoof responses to any DNS query sent by the Windows SMTP service trivially. DNS response spoofing and cache poisoning attacks are well known to have a variety of security implications with impact beyond just Denial of Service and Information Disclosure as originally stated in MS10-024.

As a result the importance of deploying MS10-024 patches may be miss-represented in the vendor’s security bulletin. Organizations using vulnerable packages should consider re-assessing patch deployment priorities in view of the additional information provided in this advisory.

The vulnerability that is listed above is more serious than the one that was disclosed by Microsoft.  This should be a reminder to all users to update their machines, to ensure they are update-to-date on the latest security vulnerabilities.

Microsoft rolls out a new batch of patches on the second Tuesday of every month, also known as Patch Tuesday.

Report a problem with article
Previous Story

Nokia sues Apple for iPad 3G and iPhone patent infringements

Next Story

Kin: Does Microsoft's Socialphone live up to the hype?

17 Comments

Commenting is disabled on this article.

omnicoder said,
"Microsoft does its job, story at 11."
Not newsworthy in my opinion.

Generic "I don't care-then why do you bother posting" incident, story at 11.

I wish they patched them all more silently. I hate the whole "Here's this security problem... here's exactly how it works... and here's an example of someone hacking your computer. Patch coming next week!"

Nightwind Hawk said,
I wish they patched them all more silently. I hate the whole "Here's this security problem... here's exactly how it works... and here's an example of someone hacking your computer. Patch coming next week!"

They are giving everyone a chance to hack some machines before patching the exploit

I don't suppose that in the process of testing one patch the changes made might cause the other bugs so those also have to be fixed together? I don't think it matters if one patch fixes 2 or 3 bugs as long as they get fixed.

GP007 said,
I don't suppose that in the process of testing one patch the changes made might cause the other bugs so those also have to be fixed together? I don't think it matters if one patch fixes 2 or 3 bugs as long as they get fixed.

It could also of been "accidentally" fixed or discovered then fixed during the patch process. At that point they just release it as one big fix but only disclose about the original bug it was intended to fix.