Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Story of a Microsoft Patch

Posted by Zonk on from the live-and-learn dept.

buckethead writes "eWeek is running a story about a security patch from Microsoft that failed to adequately address a denial-of-service flaw on CSRSS (Client/Server Runtime Server Subsystem), the user-mode part of the Win32 subsystem. It stems from a research paper from Argeniss that discusses how Microsoft only patched one path to the vulnerable function, but they forgot to do proper research to identify all the paths." From the article: "The problem was that Microsoft didn't patch the vulnerable function; they just added some validation code before the call to the vulnerable function, but what Microsoft missed was that the vulnerable function can be reached from different paths and the validation code was added on just one of them"

3 of 183 comments (clear)

  1. Is this really that bad? by ebob9 · · Score: 5, Insightful

    The article criticizes Microsoft for not fully understanding the vulnerability, and issuing an incomplete patch.

    I understand that in a best case scenario, a vendor should release a 100% effective patch. However, in reality, that's not always going to be the case.

    Microsoft released a patch that stopped the public vulnerable attack vector. Then, once they were alerted that they didn't fix all possible vectors, they issued a new patch (albeit quite a few months later).

    With the large amount of bugs and vulnerabilities that a software behemoth like Windows is going to have, is it really that unthinkable that an incomplete first-patch would be released? I'd wager that even OSS products routinely have incomplete first-patches.

    1. Re:Is this really that bad? by QuietLagoon · · Score: 5, Insightful
      Yes, this is really that bad. Software development is supposed to be Microsoft's core competency. That they are not knowledgeable enough to patch the root cause instead of the symptom speaks volumes of their incompetence in their supposed core competence.

      The first question I'd now ask is what other symptoms have been patched which have left other vulnerabilities open for exploit via other attack vectors?

  2. Security and the stock price by ewg · · Score: 5, Insightful

    Has any Windows security problem ever hurt Microsoft's stock price?

    I checked MSFT a couple of times when mail-based malware was running amok, seriously enough to reach the general news media. No effect.

    If that's the overall pattern when it comes to Microsoft security issues and Microsoft's business success, it goes a long way toward explaining security missteps like MS05-018. There's no direct incentive for them to master security.

    --
    org.slashdot.post.SignatureNotFoundException: ewg