Microsoft released some security patches last month without revealing them to the public. Some of the fixes affected software in mission critical Exchange mail servers.

The patches were hidden in one of Microsoft’s periodic updates issued April 13, namely “Microsoft Security Bulletin MS10-024 – Important: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832).”

“This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Exchange and Windows SMTP Service,” Microsoft said in the security bulletin’s executive summary.

“The more severe of these vulnerabilities could allow denial of service if an attacker sent a specially crafted DNS response to a computer running the SMTP service,” it continued. “By default, the SMTP component is not installed on Windows Server 2003, Windows Server 2003 x64 Edition, or Windows XP Professional x64 Edition.

It added: “This security update is rated Important for all supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003; 32-bit and x64-based editions of Windows Server 2008; Windows Server 2008 R2 for x64-based Systems; and Microsoft Exchange Server 2003. This security update is rated Moderate for Microsoft Exchange Server 2000.”

The bulletin cited two vulnerabilities targeted by the April 13 patches. In one (CVE-2010-1689), Windows SMTP Service generated DNS queries in the transaction ID field with trivially guessable values. In the other (CVE-2010-1690), the service did not check that the ID value of the DNS response received from the network actually matched the value of the ID field of a corresponding DNS packet previously sent.

What Microsoft didn’t mention in its bulletin was that  it was also patching two serious flaws in Windows SMTP Service and Microsoft Exchange that could be exploited in DNS spoofing and cache poisoning attacks. Both attacks are ways to redirect Internet traffic to or through a black hat site for pernicious purposes.

Microsoft’s omission was discovered by Nicolás Economou, a researcher at Core Security Technologies, a security research firm headquartered in Boston. The company said in a security advisory that Economou discovered two vulnerabilities in Windows SMTP Service and Exchange while routinely reviewing the changes described in MS10-024. Although the vulnerabilities were patched by Microsoft, Economou learned, their existence was not disclosed in the software maker’s bulletin.

Moreover, a unique vulnerability identifier had not been assigned to the flaws. “As a result,” Core noted in its advisory, “the guidance and the assessment of risk derived from reading the vendor’s security bulletin may overlook or misrepresent actual threat scenarios.”

In addition, while researching another vulnerability (CVE-2010-0024), Economou unearthed two more “severe bugs” addressed by the April 13 patches but undisclosed by Microsoft.

“Basic analysis of the vulnerabilities disclosed in this advisory indicates that the threat of DNS spoofing attacks against Windows SMTP Service and Microsoft Exchange or of exploitation of CVE-2010-0024 was underestimated in MS10-024,” Core said in its security advisory.

“An attacker may leverage the two previously undisclosed vulnerabilities fixed by MS10-014 to spoof responses to any DNS query sent by the Windows SMTP Service trivially,” it continued. “DNS response spoofing and cache poisoning attacks are well known to have a variety of security implications with impact beyond just Denial of Service and Information Disclosure as originally stated in MS10-024.”

“As a result,” it added, “the importance of deploying MS10-024 patches may be misrepresented in the vendor’s security bulletin. Organizations using vulnerable packages should consider re-assessing patch deployment priorities in view of the additional information provided in this advisory.”

When Core contacted Microsoft about the undisclosed vulnerabilities and why they weren’t issued vulnerability identifiers, or CVEs, the software maker referred Core to a footnote in MS10-024. The footnote said:

“Severity ratings do not apply to this update because the vulnerabilities discussed in this bulletin do not affect [Microsoft Exchange Server 2007 and 2010]. However, Microsoft recommends that customers of this software apply this update, which includes a defense-in-depth measure that adds additional source port entropy to DNS transactions initiated by the SMTP service.”

Issuing stealth patches is apparently nothing new in the software industry. “This has been going on for many years and the action in and of itself is not a huge conspiracy,” Andrew Storms, director of security operations, recently told CIO magazine.

What is unusual is that Core made its discovery of the omissions public. Apparently, it felt the vulnerabilities it discovered should have received more prominent treatment than an obscure reference in a footnote in Microsoft’s security bulletin. In addition, it seems concerned that Microsoft’s assessment of its patches–especially in light of the importance of the undisclosed flaw fixes–was understated and would mislead system administrators. Without knowledge about the significance of the patches, some administrators may put the fixes on a back burner when they should be on a front one.