Breaking Code

May 5, 2010

The forgotten bug: silently patched vulnerabilities

Filed under: Vulnerabilities — Tags: , , , , , — Mario Vilas @ 10:39 am

Last month, Microsoft released the security bulletin MS10-024 with a patch for a denial of service vulnerability in Exchange and the Windows SMTP service:

“This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Exchange and Windows SMTP Service. The more severe of these vulnerabilities could allow denial of service if an attacker sent a specially crafted DNS response to a computer running the SMTP service.”

However, researcher Nicolás Economou found an interesting surprise in this patch: two additional, undisclosed vulnerabilities had also been patched… and they were far more severe than the ones reported! From the Core Security advisory:

“Nicolas found that the Windows SMTP Service does its own DNS resolution of MX records rather that use the DNS resolver from the operating system while investigating CVE-2010-0024.

Furthermore, he found that the patch referenced in MS10-024 fixed two severe bugs that were not disclosed as such in the bulletin and had no CVE identifiers assigned to them. Basic analysis of the vulnerabilities disclosed in this advisory indicates that the threat of DNS spoofing attacks against Windows SMTP service and Microsoft Exchange or of exploitation of CVE-2010-0024 was underestimated in MS10-024.

An attacker may leverage the two previously undisclosed vulnerabilities fixed by MS10-014 to spoof responses to any DNS query sent by the Windows SMTP service trivially. DNS response spoofing and cache poisoning attacks are well known to have a variety of security implications with impact beyond just Denial of Service and Information Disclosure as originally stated in MS10-024.”

In fact, the two “new” vulnerabilities were quite crass. Both Exchange and the SMTP service were doing their own manually crafted DNS queries using incremental transaction IDs, which is a big no-no when implementing DNS because it makes it real easy for attackers to guess the transaction ID and spoof replies, as is a well known fact for… say… the last 16 years or so? But as it turns out, attackers didn’t even need to guess the transaction IDs… because they weren’t even being used when parsing the DNS responses! 😯

This omission may be easily attributed to the “embarrasment factor” 🙂 but it’s still a terrible idea to patch vulnerabilities silently: IT administrators, unaware of the real danger of the problem, may give the patch a lower priority. A denial of service just means having the mail server down for a while until it restarts, so the patch can wait – it’d be worse if the server didn’t work at all because patching went wrong. On the other hand, a DNS poison vulnerability means having an attacker browse through everyone’s emails and taking over all other services you may have on the same machine – patching becomes much more worth the risk.

Of course, this isn’t the first time this happens. Practically every vendor did this at one time or another. A quick Google search for “silently patched vulnerability” shows some 1.400.000 hits at the time I’m writing this, showing this is neither new or uncommon – and that even small software vendors may easily get caught. Especially thanks to the rise of binary diffing tools that can pinpoint precisely where and how the code was patched.

Thanks Alfredo Ortega for pointing out this advisory and providing such a cool sounding title. 😉


  1. It’s important to note that msft hires *a lot* of people to review their source code; when they hire you do so, there really is no implication that they’re supposed to publicly disclose the bugs you find. I mean, they paid for that ability essentially, and they paid very well.

    I don’t know these were bugs that were found this way; but if I had to take a stab at it, that would be my guess. A lot of stuff gets fixed this way; the average *used* to be 2 bugs a day were found by *each* person reading the code; their code base has gotten a lot better, but it’s still 2 every few days or so.

    Granted, a lot of those are found in products or versions that have not been released yet, so that changes things a bit; I cannot remember the MSFT-speak term for when they have to patch something thats already live; but it happens enough to have a term for it ;]

    Comment by jf — May 5, 2010 @ 2:50 pm

  2. […] This post was mentioned on Twitter by hdmoore, Security4all, Bev Robb , Bill Gardner, Felix Aimé and others. Felix Aimé said: The forgotten bug: silently patched vulnerabilities Oô A LIRE 😡 #fou #grostrous […]

    Pingback by Tweets that mention The forgotten bug: silently patched vulnerabilities « Breaking Code -- — May 5, 2010 @ 9:40 pm

  3. Yeah, would be nice to know how many times we were exposed like under-aged kids.
    Salu2 marito!

    Comment by Gutes — May 6, 2010 @ 1:47 am

  4. […] over het hoofd worden gezien bij het maken van een analyse van het bulletin" stelt de researcher. Microsoft reageerde door te stellen dat het niet alle varianten van een aanval meeneemt in haar […]

    Pingback by Plaats hier software gerelateerd nieuws! - Page 20 — May 7, 2010 @ 6:25 pm

  5. […] LinkedIn, reverse engineering, vulnerability, vulnerability research, win32, Windows Breaking Code This entry was posted in Breaking Code and tagged forgotten, patched, silently, vulnerabilities. […]

    Pingback by The forgotten bug: silently patched vulnerabilities | — January 24, 2011 @ 1:58 pm

  6. […] e Core Security ha a sua volta ribattuto: se volete immergervi nei dettagli tecnici, li trovate su Breaking Code, che spiega anche quanto sia diffusa questa prassi di affidare agli utenti aggiornamenti che […]

    Pingback by TechTricks » Microsoft patcha di soppiatto — February 7, 2013 @ 4:09 pm

  7. […] e Core Security ha a sua volta ribattuto: se volete immergervi nei dettagli tecnici, li trovate su Breaking Code, che spiega anche quanto sia diffusa questa prassi di affidare agli utenti aggiornamenti che […]

    Pingback by circa Microsoft patcha di soppiatto | italien post — July 31, 2013 @ 8:03 pm

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a free website or blog at

%d bloggers like this: