Microsoft update secretly fixed two 'severe' bugs A recent security patch from Microsoft silently fixed two severe bugs that were never disclosed even though they posed a risk to many of its customers, a security researcher said. MS10-024 fixed two flaws that made it possible for adversaries to intercept victims' email messages sent by Exchange and Windows SMTP service, …
How many more friggin' updates have had critical patches slipstreamed in without notice?
Mentioning Exchange... Exchange itself (the service, not the server it sits on) is a special creature, one which makes an admin always stop and weigh options before patching. The reason why is that (downtime aside) in at least Exchange 2007's case, you either patch all Exchange boxen at the same time (and update ISA if you're using 2006 or earlier), or your OWA service gets rendered inoperative until you do.
I'd like to think that this was more a case of incompetence than an attempt to fudge the vuln numbers... but with this gaggle of clowns it's damned hard not to think the worst.
Always good to know where MS's *real* priorities lie.
Paten trolling competitors $$$$$$
Looking for dumb-as-stump security holes $.
A quick read of the article suggests a lot of this would have been stopped in its tracks with a *decent* random number generator.
But that *might* have been a bit more time consuming to debug.
Just a thought.
...the risk of not fully disclosing the issue against the risk of potential zero-day attacks based upon such disclosure and used upon such machines as are not (at that time) updated. At my local library all updates are downloaded and auto-installed when the machine is switched off. Such switch off may happen that night, or the next, or the next. Pretty much the only time the machines are (usually) known to be off is on a Sunday. That's a long time from patch Tuesday.
Likewise my work, half the Q&A machines aren't turned off (hell, half the time the girls have gone home still logged in AND running VNC servers (WTF for?!) - if I was their IT guy, they'd ALL be in for a slapping) so when are the updates applied? You can't "update/restart" as it happens, no doubt somebody will have spent the last six hours making a PowerPoint...
I usually ignore updates on patch Tuesday, waiting instead until Wednesday evening or Thursday to install (time to see if anything is reported as going "bang!").
So the decision comes down to assessing the likely problems of delays between security patches being made available, and said patches being actually applied.
Now imagine, in all these scenarios, if you disclose details of a hole closed, especially one that was not known to be exploited - you've suddenly and potentially opened the hole to the potential millions of users who have not yet applied said patch. Maybe keeping quiet once in a while isn't such a bad thing?
If it's been disclosed, any attack based on the disclosure is, by definition NOT zero-day.
Of course, whenever a patch is released, the bad guys can try to exploit the hole where ever people are slow to patch. The point of the descriptions and severity rating is to allow administrators to make their own rational decisions about how quickly they should patch. Microsoft lied to their customers in saying MS10-024 fixed "moderate or important", but not "critical" holes, and therefore undermined the ability of those customers to make the best decision.
They also made a strong incentive for the bad guys to carefully reverse-engineer future patches to find other more-important-than-advertised holes.
From http://support.microsoft.com/default.aspx?scid=kb;EN-US;976323
"After you install this security update on a Windows Server 2008-based system that has Internet Information Services (IIS) installed, the SMTP configuration options are reset. Any SMTP configuration options that were set before you install this update are lost. Any SMTP configuration options that are needed must be manually reapplied after you install this security update."
Apply security update, server no worky, wha?
There are reasons why I try and read everything I can about every update before I have the chance to be "bitten".
I can't recall when I last saw a security update description from redmond that wasn't a hundred percent mealy-mouthed crap. They apparently let first line support write those, while a marketeer is looking over their shoulder to pick off any actual truths.
They'd label the big red button ``pushing this may possibly be serious perhaps in some cases, for some users, in some situations.''
So why is core picking on them now, as opposed to every other bulletin issued in the previous decade?
As I see it this seems to be a difference of opinion as to the severity of the bugs in question between MS and "a security researcher".
He reckons they're critical and warrant shouting from the rooftops, MS reckon they're on the important / moderate list of "other things fixed this time round".
A security researcher talking up his pet flaws? Say it ain't so......
And now, the shipping forecast: Dogger Bank, force 7, strengthening Westerly. Teacup, Hurricane force 12......
... A software supplier talking down all flaws? Say it ain't so.
In other news ...
...Not disclosing a flaw is found to be not the same as no-one knowing about it. In a shock revelation today...
... Turns out that simply not talking about a problem does not make it not-a-problem it just means that people who trust you are let down.
But in that case, wouldn't you retroactively upgrade the patch from "Important" to "You Bet Your Fundament It's Important".
Then again, all "Important" patches should be re-issued a month later as "You Are Aware Of The Meaning Of The Word 'Important', Are You Not, Perhaps You Are In The Wrong Job".
As an administrator of several Windose boxen, I seem to remember having the ability to make a choice over which MS Updates to install and which not, but that was quite a while ago.
It doesn't matter which machine I use, I am offered updates, but no ability to select or deselect.
Do other people still get an option ?
If so, maybe I am being shafted by something else (undisclosed) ?
ALF
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
