Researcher Details More Microsoft Patch Missteps - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

01:58 PM

Researcher Details More Microsoft Patch Missteps

Cesar Cerrudo, CEO at a security vendor, claims that Microsoft's problems with past patches, now finally fixed, may augur larger issues with the whole process.

Microsoft's patching problems resurfaced again when a researcher published a paper last week detailing how the Redmond, Wash.-based developer failed to really fix a vulnerability disclosed in April 2005.

The goof, claimed security researcher Cesar Cerrudo, chief executive of Argeniss Information Security, forced Microsoft to release another security bulletin in October.

Cerrudo published his paper, "Story of a dumb patch," with details of how Microsoft slapped a Band-Aid on a bug rather than really plug the vulnerability outlined in MS05-018, one of eight bulletins issued in April.

MS05-018 actually dealt with four different vulnerabilities in Windows 2000, Windows XP, and Windows Server 2003. Cerrudo focused on the Client Server Runtime System (CSRSS) bug, which was ranked as "Important" -- the second-highest in Microsoft's four-step scheme -- because an attacker needed local access to a PC.

Cerrudo noted that Microsoft didn't completely close off all possible exploits.

"The problem was that Microsoft didn't patch the vulnerable function they just added some validation code before the call to the vulnerable function," he said. "But what Microsoft missed was that the vulnerable function can be reached from different paths and the validation code was added on just one of them."

Cerrudo found the still-open attack routes after he reverse-engineered the bug to build an exploit, a common technique that both researchers and hackers use to take advantage of newly-disclosed vulnerabilities in Windows.

"Microsoft forgot to do proper research to identify all the paths," Cerrudo said.

Only in October, Cerrudo said, did Microsoft finally shut the door with the release of the MS05-049 security bulletin. "This [MS05-049] fix is good but Microsoft should have done it in [the] first patch," he wrote.

"Microsoft still needs some fine tuning on the patching process in order to avoid this kind of mistake," he concluded.

Patch problems have become rife at Microsoft. In October, the company needed to clarify or reissue two bulletins rolled out earlier in the month.

Microsoft did not refute Cerrudo's claim -- in a brief statement, the company even thanked him for "working with Microsoft to protect our customers" -- but neither would it confirm it.

Instead, a spokesperson said that the two bulletins, April's MS05-018 and October's MS5-049, both address vulnerabilities in CSRSS. "MS05-049 addresses a new vulnerability that was not addressed as part of MS05-018," she said. "MS05-018 helps protect against the vulnerability that is discussed in that bulletin, but does not address this new vulnerability.

"Microsoft continues to encourage customers to download both MS05-018 and MS05-049," the spokesperson added.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll