Bulletin MS10-024, issued April 13 as part of Microsoft's regular Patch Tuesday update, silently fixed two flaws affecting Microsoft Exchange and Windows SMTP Services. The bugs could be leveraged to spoof responses to domain name system (DNS) queries and read a victim's email messages, according to researchers at Core Security.
The vulnerabilities, however, were not disclosed in Microsoft's security bulletin and were not given unique Common Vulnerabilities and Exposure (CVE) identifiers, yielding criticism that Microsoft downplayed the severity of the patch.
In its advisory, Microsoft described only denial-of-service and information-disclosure vulnerabilities.
Its omission of the DNS poison bugs may have caused IT administrators to give the patch a lower priority than they should have, researchers said.
“We thought users needed that information to figure out if they should or shouldn't deploy the patch, and with what urgency,” Ivan Arce, CTO of Core Security, told SCMagazineUS.com on Thursday.
DNS attacks result from design weaknesses of the DNS protocol and were first described in the 1990s. The threat became well known two years ago when security researcher Dan Kaminsky unveiled a major DNS cache poisoning vulnerability.
“DNS response spoofing and cache poisoning attacks are well known to have a variety of security implications, with impact beyond just denial-of-service and information disclosure as originally stated in MS10-024,” Nicolás Economou, a researcher at Core Security, wrote in an advisory about the bugs.
According to the advisory, the bugs affect Microsoft Windows 2000, XP, 2003 and 2008, along with Microsoft Exchange Server 2003, 2007 and 2010.
In a statement sent to SCMagazineUS.com on Thursday, Jerry Bryant, group manager of response communications at Microsoft, confirmed that MS10-024 includes additional fixes other than the vulnerabilities documented in the bulletin.
“The additional fixes applied to an unrelated security issue that was tied closely to the issue the bulletin addressed and was discussed in the FAQ section of the bulletin,” Bryant said.
When a security vulnerability is discovered, Microsoft conducts an investigation of that bug and also addresses any other issues found in the code, he said. This practice helps reduce the number of updates customers have to deploy.
“Our goal is to make sure the recommended action to our customers is clear,” Bryant said.
It is common for vendors to silently patch vulnerabilities, Andrew Storms, director of security operations at vulnerability management vendor nCircle, told SCMagazineUS.com on Thursday. Further, vendors do not have an obligation to disclose any bugs found internally.
“Vendors do this pretty much all the time,” Storms said.
But Core Security's Arce said that while it is common among vendors, it is not a good practice.
“You don't know if the patch you are about to install fixes one bug or 50,” he said. “It's confusing and it's risky.”
In this case, the bugs were “a little bit riskier” than what Microsoft said in its patch advisory, Storms said.
IT administrators should not fully rely on the ratings that vendors give patches and should always evaluate the risk internally, he added. This particular patch was probably already applied at most organizations given the importance of Microsoft Exchange Server. Those who have not yet patched it need to go back and reassess the risk and prioritization of the patch.