-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Security Firm Reveals Microsoft's "Silent" Patches
,----[ Quote ]
| "Microsoft silently patched three
| vulnerabilities last month, two of them
| affecting enterprise mission-critical
| Exchange mail servers, without calling out
| the bugs in the accompanying advisories, a
| security expert said on Thursday. Two of the
| three unannounced vulnerabilities, and the
| most serious of the trio, were packaged with
| MS10-024, an update to Exchange and Windows
| SMTP Service that Microsoft issued April 13
| and tagged as 'important,' its second-
| highest threat ranking. Ivan Arce, CTO of
| Core Security Technologies, said Microsoft
| patched the bugs, but failed to disclose
| that it had done so â which could pose a
| problem. 'They're more important than the
| [two vulnerabilities] that Microsoft did
| disclose,' said Arce. 'That means [system]
| administrators may end up making the wrong
| decisions about applying the update. They
| need that information to assess the risk.'"
`----
http://tech.slashdot.org/story/10/05/06/1734250/Security-Firm-Reveals-Microsofts-Silent-Patches
Security firm reveals Microsoft's 'silent' patches
,----[ Quote ]
| Microsoft silently patched three
| vulnerabilities last month, two of them
| affecting enterprise mission-critical
| Exchange mail servers, without calling out
| the bugs in the accompanying advisories, a
| security expert said today.
|
| Two of the three unannounced
| vulnerabilities, and the most serious of the
| trio, were packaged with MS10-024, an update
| to Exchange and Windows SMTP Service that
| Microsoft issued April 13 and tagged as
| "important," its second-highest threat
| ranking.
|
| According to Ivan Arce, the chief technology
| officer of Core Security Technologies,
| Microsoft patched the bugs, but failed to
| disclose that it had done so.
`----
http://www.computerworld.com/s/article/9176373/Security_firm_reveals_Microsoft_s_silent_patches
Microsoft update secretly fixed two 'severe' bugs
,----[ Quote ]
| A recent security patch from Microsoft
| silently fixed two severe bugs that were
| never disclosed even though they posed a
| risk to many of its customers, a security
| researcher said.
|
| MS10-024 fixed two flaws that made it
| possible for adversaries to intercept
| victims' email messages sent by Exchange and
| Windows SMTP service, NicolÃs Economou, a
| researcher with Core Security said. But the
| bugs - which made it "trivial" to spoof
| responses to domain name system queries -
| weren't disclosed and were never assigned a
| Common Vulnerabilities and Exposure
| identifier, sparking criticism that the
| critical bugs weren't properly disclosed.
`----
http://www.theregister.co.uk/2010/05/05/secret_microsoft_patch/
Not the first time (see below). Microsoft is lies, lies, lies.
Related:
Critical Vulnerability in Microsoft Metrics
,----[ Quote ]
| This is a small subset of all the vulnerabilities, because the
| vulnerabilities that are found through the QA process and the vulnerabilities
| that are found by the security folks they engage as contractors to perform
| penetration testing are fixed in service packs and major updates. For
| Microsoft this makes sense because these fixes get the benefit of a full test
| pass which is much more robust for a service pack or major release than it is
| for a security update.
`----
http://blog.mozilla.com/security/2007/11/30/critical-vulnerability-in-microsoft-metrics/
Skeletons in Microsoftâs Patch Day closet
,----[ Quote ]
| This is the first time Iâve seen Microsoft prominently admit to silently
| fixing vulnerabilities in its bulletins â a controversial practice that
| effectively reduces the number of publicly documented bug fixes (for those
| keeping count) and affects patch management/deployment decisions.
`----
http://blogs.zdnet.com/security/?p=316
Beware of undisclosed Microsoft patches
,----[ Quote ]
| Forget for a moment whether Microsoft is throwing off patch counts
| that Microsoft brass use to compare its security record with those
| of its competitors. What do you think of Redmondâs silent patching
| practice?
`----
http://blogs.zdnet.com/microsoft/?p=527
Microsoft is Counting Bugs Again
,----[ Quote ]
| Sorry, but Microsoft's self-evaluating security counting isn't really a
| good accounting.
|
| [...]
|
| The point: Don't count on security flaw counting. The real flaw is
| the counting.
`----
http://www.microsoft-watch.com/content/security/microsoft_is_counting_bugs_again.html?kc=MWRSS02129TX1K0000535
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkvkTo8ACgkQU4xAY3RXLo7RJACaAlFFdhMtpaxdXsuLbl6sx8WT
tCMAoLDzo+QTUi51Yb5O9d8jPxmRkyjE
=ozMA
-----END PGP SIGNATURE-----
|
|
