Researcher Details More Microsoft Patch Missteps - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News
News
10/31/2005
01:58 PM
50%
50%

Researcher Details More Microsoft Patch Missteps

Cesar Cerrudo, CEO at a security vendor, claims that Microsoft's problems with past patches, now finally fixed, may augur larger issues with the whole process.

Microsoft's patching problems resurfaced again when a researcher published a paper last week detailing how the Redmond, Wash.-based developer failed to really fix a vulnerability disclosed in April 2005.

The goof, claimed security researcher Cesar Cerrudo, chief executive of Argeniss Information Security, forced Microsoft to release another security bulletin in October.

Cerrudo published his paper, "Story of a dumb patch," with details of how Microsoft slapped a Band-Aid on a bug rather than really plug the vulnerability outlined in MS05-018, one of eight bulletins issued in April.

MS05-018 actually dealt with four different vulnerabilities in Windows 2000, Windows XP, and Windows Server 2003. Cerrudo focused on the Client Server Runtime System (CSRSS) bug, which was ranked as "Important" -- the second-highest in Microsoft's four-step scheme -- because an attacker needed local access to a PC.

Cerrudo noted that Microsoft didn't completely close off all possible exploits.

"The problem was that Microsoft didn't patch the vulnerable function they just added some validation code before the call to the vulnerable function," he said. "But what Microsoft missed was that the vulnerable function can be reached from different paths and the validation code was added on just one of them."

Cerrudo found the still-open attack routes after he reverse-engineered the bug to build an exploit, a common technique that both researchers and hackers use to take advantage of newly-disclosed vulnerabilities in Windows.

"Microsoft forgot to do proper research to identify all the paths," Cerrudo said.

Only in October, Cerrudo said, did Microsoft finally shut the door with the release of the MS05-049 security bulletin. "This [MS05-049] fix is good but Microsoft should have done it in [the] first patch," he wrote.

"Microsoft still needs some fine tuning on the patching process in order to avoid this kind of mistake," he concluded.

Patch problems have become rife at Microsoft. In October, the company needed to clarify or reissue two bulletins rolled out earlier in the month.

Microsoft did not refute Cerrudo's claim -- in a brief statement, the company even thanked him for "working with Microsoft to protect our customers" -- but neither would it confirm it.

Instead, a spokesperson said that the two bulletins, April's MS05-018 and October's MS5-049, both address vulnerabilities in CSRSS. "MS05-049 addresses a new vulnerability that was not addressed as part of MS05-018," she said. "MS05-018 helps protect against the vulnerability that is discussed in that bulletin, but does not address this new vulnerability.

"Microsoft continues to encourage customers to download both MS05-018 and MS05-049," the spokesperson added.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Commentary
Get Your Enterprise Ready for 5G
Mary E. Shacklett, Mary E. Shacklett,  1/14/2020
Commentary
Modern App Dev: An Enterprise Guide
Cathleen Gagne, Managing Editor, InformationWeek,  1/5/2020
Slideshows
9 Ways to Improve IT and Operational Efficiencies in 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  1/2/2020
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll