A recent security patch from Microsoft secretly patched two "severe" exploits that posed a risk to Windows users. Microsoft didn't fully disclose the exploits, putting Windows users at risk.
According to Nicolás Economou, a researcher with Core Security, Microsoft patch MS10-024 fixed two serious bugs that made it possible for malicious users to easily intercept email messages sent by Exchange and Windows SMTP service. The "two severe bugs" existed in both Microsoft Exchange and the SMTP services included in the 2000, XP, 2003, and 2008 versions of Windows. The exploits made it "trivial" for attackers to pull off DNS cache–poisoning attacks first described in the early 1990s and made famous two years ago by researcher Dan Kaminsky.
The bugs apparently made it "trivial" to fake responses to domain name system queries. The bugs weren't disclosed and were also never assigned a "Common Vulnerabilities and Exposure" identifier. Microsoft's advisory only mentioned a "denial of service vulnerability", and only rated the flaws as either "important" or "moderate" instead of "critical".
By downplaying the nature risk of the threats and keeping quiet about their severity, Microsoft knowingly handicapped IT admins' ability to decide whether or not to install the patch, Core said.
Core also doesn't consider the two bugs reported to be 'security-in-depth' fixes, and points out that there is an amount of literature to support that opinion, starting with Core's first published security advisory on "DNS query ID prediction" and ending with Dan Kaminsky's well-publicized DNS poisoning technique.