Slashdot Mirror


The Story of a Microsoft Patch

buckethead writes "eWeek is running a story about a security patch from Microsoft that failed to adequately address a denial-of-service flaw on CSRSS (Client/Server Runtime Server Subsystem), the user-mode part of the Win32 subsystem. It stems from a research paper from Argeniss that discusses how Microsoft only patched one path to the vulnerable function, but they forgot to do proper research to identify all the paths." From the article: "The problem was that Microsoft didn't patch the vulnerable function; they just added some validation code before the call to the vulnerable function, but what Microsoft missed was that the vulnerable function can be reached from different paths and the validation code was added on just one of them"

2 of 183 comments (clear)

  1. Patch by lotus_out_law · · Score: -1, Flamebait

    What is so new/different about this?
    Doesn't all our code have bugs?
    With such a big system, it is very probable that somebody is going to miss/mess something up.

    Same with the solutions too...
    Are all our bug fixes perfect?
    I don't think so....

    This is newz just becoz the erring party is microsoft. Isnt it?
    Anywayz some poor chap is going to lose his job over this ...

    kR/\/

  2. wait a second open sores fanboys by LOLDONGS · · Score: -1, Flamebait

    samba had a remote exploit that was open for years that was never patched, so seriously stop with the windows bashing.