A recent security patch from Microsoft silently fixed two severe bugs that were never disclosed even though they posed a risk to many of its customers, a security researcher said. MS10-024 fixed two flaws that made it possible for adversaries to intercept victims' email messages sent by Exchange and Windows SMTP service, …
So the big (unasked) question is...
How many more friggin' updates have had critical patches slipstreamed in without notice?
Mentioning Exchange... Exchange itself (the service, not the server it sits on) is a special creature, one which makes an admin always stop and weigh options before patching. The reason why is that (downtime aside) in at least Exchange 2007's case, you either patch all Exchange boxen at the same time (and update ISA if you're using 2006 or earlier), or your OWA service gets rendered inoperative until you do.
I'd like to think that this was more a case of incompetence than an attempt to fudge the vuln numbers... but with this gaggle of clowns it's damned hard not to think the worst.
So much for MS security, security, security mantra.
Always good to know where MS's *real* priorities lie.
Paten trolling competitors $$$$$$
Looking for dumb-as-stump security holes $.
A quick read of the article suggests a lot of this would have been stopped in its tracks with a *decent* random number generator.
But that *might* have been a bit more time consuming to debug.
Just a thought.
Maybe keeping secrets is good
If the vulnerabilities had been publicly disclosed then exploited, who knows what extra grief we'd have had.
I don't have a problem with MS keeping this fix quiet.
I do have a problem with whiners and such though.
security through obscurity
is no security at all
Maybe this is what Verizon meant when it tried to besmirch the good name of security researchers......
They fixed a serious bug? Those bastards!
it's not a bug .. it's a feature ..
Perhaps they need to weigh up...
...the risk of not fully disclosing the issue against the risk of potential zero-day attacks based upon such disclosure and used upon such machines as are not (at that time) updated. At my local library all updates are downloaded and auto-installed when the machine is switched off. Such switch off may happen that night, or the next, or the next. Pretty much the only time the machines are (usually) known to be off is on a Sunday. That's a long time from patch Tuesday.
Likewise my work, half the Q&A machines aren't turned off (hell, half the time the girls have gone home still logged in AND running VNC servers (WTF for?!) - if I was their IT guy, they'd ALL be in for a slapping) so when are the updates applied? You can't "update/restart" as it happens, no doubt somebody will have spent the last six hours making a PowerPoint...
I usually ignore updates on patch Tuesday, waiting instead until Wednesday evening or Thursday to install (time to see if anything is reported as going "bang!").
So the decision comes down to assessing the likely problems of delays between security patches being made available, and said patches being actually applied.
Now imagine, in all these scenarios, if you disclose details of a hole closed, especially one that was not known to be exploited - you've suddenly and potentially opened the hole to the potential millions of users who have not yet applied said patch. Maybe keeping quiet once in a while isn't such a bad thing?
"potential zero-day attacks based upon such disclosure"
If it's been disclosed, any attack based on the disclosure is, by definition NOT zero-day.
Of course, whenever a patch is released, the bad guys can try to exploit the hole where ever people are slow to patch. The point of the descriptions and severity rating is to allow administrators to make their own rational decisions about how quickly they should patch. Microsoft lied to their customers in saying MS10-024 fixed "moderate or important", but not "critical" holes, and therefore undermined the ability of those customers to make the best decision.
They also made a strong incentive for the bad guys to carefully reverse-engineer future patches to find other more-important-than-advertised holes.
So, "secret updates" as well as this gem...
"After you install this security update on a Windows Server 2008-based system that has Internet Information Services (IIS) installed, the SMTP configuration options are reset. Any SMTP configuration options that were set before you install this update are lost. Any SMTP configuration options that are needed must be manually reapplied after you install this security update."
Apply security update, server no worky, wha?
There are reasons why I try and read everything I can about every update before I have the chance to be "bitten".
I can't recall when I last saw a security update description from redmond that wasn't a hundred percent mealy-mouthed crap. They apparently let first line support write those, while a marketeer is looking over their shoulder to pick off any actual truths.
They'd label the big red button ``pushing this may possibly be serious perhaps in some cases, for some users, in some situations.''
So why is core picking on them now, as opposed to every other bulletin issued in the previous decade?
Perhaps more likely:
... maybe it's just that it has so many bugs that they were trying to fix one bug and fixed two others by accident.
As I see it this seems to be a difference of opinion as to the severity of the bugs in question between MS and "a security researcher".
He reckons they're critical and warrant shouting from the rooftops, MS reckon they're on the important / moderate list of "other things fixed this time round".
A security researcher talking up his pet flaws? Say it ain't so......
And now, the shipping forecast: Dogger Bank, force 7, strengthening Westerly. Teacup, Hurricane force 12......
or put it another way...
... A software supplier talking down all flaws? Say it ain't so.
In other news ...
...Not disclosing a flaw is found to be not the same as no-one knowing about it. In a shock revelation today...
... Turns out that simply not talking about a problem does not make it not-a-problem it just means that people who trust you are let down.
Yeah - maybe they did not know they fixed the bugs, it was accidental.
But in that case, wouldn't you retroactively upgrade the patch from "Important" to "You Bet Your Fundament It's Important".
Then again, all "Important" patches should be re-issued a month later as "You Are Aware Of The Meaning Of The Word 'Important', Are You Not, Perhaps You Are In The Wrong Job".
As an administrator of several Windose boxen, I seem to remember having the ability to make a choice over which MS Updates to install and which not, but that was quite a while ago.
It doesn't matter which machine I use, I am offered updates, but no ability to select or deselect.
Do other people still get an option ?
If so, maybe I am being shafted by something else (undisclosed) ?
Your Windose boxen ist kaput
Yeah, I still have that option for the many thousands of boxes I have to patch each month. I guess it's a problem your end.... good luck finding what's causing it.
Doesn't sound like a secret to me
- Vid Hubble 'scope snaps 200,000-ton chunky crumble conundrum
- Bugger the jetpack, where's my 21st-century Psion?
- Google offers up its own Googlers in cloud channel chumship trawl
- Interview Global Warming IS REAL, argues sceptic mathematician - it just isn't THERMAGEDDON
- Windows 8.1 Update 1 spewed online a MONTH early – by Microsoft