Researcher Details More Microsoft Patch Missteps - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News
News
10/31/2005
01:58 PM
50%
50%

Researcher Details More Microsoft Patch Missteps

Cesar Cerrudo, CEO at a security vendor, claims that Microsoft's problems with past patches, now finally fixed, may augur larger issues with the whole process.

Microsoft's patching problems resurfaced again when a researcher published a paper last week detailing how the Redmond, Wash.-based developer failed to really fix a vulnerability disclosed in April 2005.

The goof, claimed security researcher Cesar Cerrudo, chief executive of Argeniss Information Security, forced Microsoft to release another security bulletin in October.

Cerrudo published his paper, "Story of a dumb patch," with details of how Microsoft slapped a Band-Aid on a bug rather than really plug the vulnerability outlined in MS05-018, one of eight bulletins issued in April.

MS05-018 actually dealt with four different vulnerabilities in Windows 2000, Windows XP, and Windows Server 2003. Cerrudo focused on the Client Server Runtime System (CSRSS) bug, which was ranked as "Important" -- the second-highest in Microsoft's four-step scheme -- because an attacker needed local access to a PC.

Cerrudo noted that Microsoft didn't completely close off all possible exploits.

"The problem was that Microsoft didn't patch the vulnerable function they just added some validation code before the call to the vulnerable function," he said. "But what Microsoft missed was that the vulnerable function can be reached from different paths and the validation code was added on just one of them."

Cerrudo found the still-open attack routes after he reverse-engineered the bug to build an exploit, a common technique that both researchers and hackers use to take advantage of newly-disclosed vulnerabilities in Windows.

"Microsoft forgot to do proper research to identify all the paths," Cerrudo said.

Only in October, Cerrudo said, did Microsoft finally shut the door with the release of the MS05-049 security bulletin. "This [MS05-049] fix is good but Microsoft should have done it in [the] first patch," he wrote.

"Microsoft still needs some fine tuning on the patching process in order to avoid this kind of mistake," he concluded.

Patch problems have become rife at Microsoft. In October, the company needed to clarify or reissue two bulletins rolled out earlier in the month.

Microsoft did not refute Cerrudo's claim -- in a brief statement, the company even thanked him for "working with Microsoft to protect our customers" -- but neither would it confirm it.

Instead, a spokesperson said that the two bulletins, April's MS05-018 and October's MS5-049, both address vulnerabilities in CSRSS. "MS05-049 addresses a new vulnerability that was not addressed as part of MS05-018," she said. "MS05-018 helps protect against the vulnerability that is discussed in that bulletin, but does not address this new vulnerability.

"Microsoft continues to encourage customers to download both MS05-018 and MS05-049," the spokesperson added.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
News
How to Create a Successful AI Program
Jessica Davis, Senior Editor, Enterprise Apps,  10/14/2020
News
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
Slideshows
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Register for InformationWeek Newsletters
Video
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll