Computer world is reporting that Core Security Technologies discovered that Microsoft had patched three vulnerabilities in Exchange and Windows SMTP last month and didn’t publicize the fact. Core Security makes penetration testing software.
Although such silent fixes are not new, Core researchers pointed out that two of the three fixes patched more serious flaws than the announced ones did in Microsoft’s Security Bulletin MS10-024.
Patching vulnerabilities puts a developer into a labyrinth of decisions not only about what to fix but what to tell the world about the patches. After all, as soon as a high-profile patch is make – and a lot of Microsoft’s are high profile – there are malicious operators out there trying to reverse engineer the patches to see what the vulnerabilities were that prompted the update. The vulnerabilities can be targeted by exploits which are then aimed at that huge number of Microsoft users who don’t run updates.
On the other hand, there is an army of IT people with tens of thousands of machines to maintain who must make some decisions about what updates to run and which ones to run when. Although most people think that IT exists outside space and time, they really are human with only so many hours in a day. Publishing an update without publicizing what it fixes means they might put some updates in the “do it in 30 days,” or “we don’t run that” category.
— Tom Kelchner