Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Story of a Microsoft Patch

Posted by Zonk on from the live-and-learn dept.

buckethead writes "eWeek is running a story about a security patch from Microsoft that failed to adequately address a denial-of-service flaw on CSRSS (Client/Server Runtime Server Subsystem), the user-mode part of the Win32 subsystem. It stems from a research paper from Argeniss that discusses how Microsoft only patched one path to the vulnerable function, but they forgot to do proper research to identify all the paths." From the article: "The problem was that Microsoft didn't patch the vulnerable function; they just added some validation code before the call to the vulnerable function, but what Microsoft missed was that the vulnerable function can be reached from different paths and the validation code was added on just one of them"

11 of 183 comments (clear)

  1. unpatchable by Anonymous Coward · · Score: 3, Interesting

    As Microsoft have "intergrated" all their api's into one core buggy OS it doesnt suprise me. Fixing the actual function would probably crash loads of others. But hey thats the microsoft way..

    Frankly it would be better if they started over again.. Look at the situation now.. even M$ themselves have to create infect a machine to track down spammers instead of fixing the root problem. Its like an aircraft with Gaffer Tape holding it together (with a paint job to make it look cool in new version of windows vXXX).. and they couldnt blame weather ..

    I also feel really sorry for m$ coders.. they have a lot of talent but they are probably in a situation where they dont want to mess with code too much as changing things will bring the whole system down.. and a lot of chair throwing.

    As Ballmer is a coder himself maybe he should join the troops in the basement and get to the fix and a steady system. Only them will users believe that Wind is a truly great system. At the moment m$ are in denial.

  2. As if the patch woes are not enough..., by bogaboga · · Score: 3, Interesting

    ...in my case, I have found that the total disk space consumed by Windows 2000 patches is bigger than the original Windows 2000 install itself! To make matters worse, I am now very low on disk space. I console myself by the fact that disk drives are cheaper nowadays. Whether these patches actually work as advertised is an open question, but I have my doubts though. All I see are a bunch of Hot Fix entries and nothing more.

  3. Re:Why didn't tehy fix it right in the first place by Xugumad · · Score: 4, Interesting

    As a developer, there are times we'll just gloss over a security problem to get the worst of it fixed ASAP with the least risk of breaking something else in the progress (and there are also holes that I'm desperately hoping no-one finds before I have time to completely rewrite the code, and beat to death the programmer responsible for it in the first place, but that's a rant for another day).

    It's possible that the first fix was just a temporary measure they knew wouldn't break anything else, while they rewrote the problem function and put it through proper testing. On the other hand, this is Microsoft, so I may be being overgenerous here...

  4. Give them some credit by Anonymous Coward · · Score: 1, Interesting

    Okay enough with the MS bashing. Granted they do a lot of stupid things. But you forget they still have some of the brightest programmers and intellectuals in the industry. Bar none. Yes, not even the much Slashdotter-adored Google. Recall that these are the guys who made it through the series of technical interviews when you couldn't even get your name on the MS list. They're smart people, and THAT is the bottom line. As for the patch, okay bad call. They should fix the problem. However, this is also a business. They made an executive decision to patch the publicly known path of error first and later assign resources to address the core issue. Businesses do that all the time. You think Coca Cola shuts an entire plant down to figure out why 1 out of every 5 million bottles is an inch shorter than the rest? Or Toyota stops making Tacomas because every 50,000 miles 0.0001% of Tacomas have a trasmission problem? No, they make a short-term correction and address the issue at hand. Then they focus resources on the real issue.

    Contrary to what you may think, I'm not a MS fan. But they do some things well. (And please don't say they dont because you know better. You do.) AND to your post, they DO hire some of the best minds in the industry. These guys are smart. Super smart. So don't post a 10 line reply on Slashdot trying to appear as if you understand the entire dynamics of the software development business and just know the right way to do things. Its ignorant and makes you appear stupider than I'm sure you really are.

  5. Re:Patch by canuck57 · · Score: 2, Interesting

    But when it's found "Hey, calling this function with these arguments causes a crash", why *isn't* fixing the function the first thing that comes to mind?

    Logically your right, but Microsoft is a marketing machine. They would rather you buy another ISA server so they can profit from defects. http://www.microsoft.com/isaserver/default.mspx

  6. ./sigh-Singularity by Anonymous Coward · · Score: 1, Interesting

    Maybe this will make them feel better?

  7. Re:Symptoms vs Causes by Overly+Critical+Guy · · Score: 1, Interesting

    And given this research paper, how would that statement be inaccurate, sir?

    I suggest people see my comment here. There's this vocal cross-section of astroturfing Microsoft defenders who have infiltrated Slashdot. Report the huge news that two more key executives have left? They'll bitch in the comments. Had problems with things just mysteriously not working anymore in Windows? All the "I've never had it crash in five years" people will jump down your throat to drown you out. Post the huge news that Microsoft shipped a half-assed patch that required another patch to fix it? Someone will try to preemptively dismiss the responses.

    This is a huge screwup that is illustrative of the lack of testing and management that MiniMSFT commenters have previously mentioned. Don't try to sweep this under the rug--Microsoft is the company whose software is running on most of the world's computers, and they can't get a patch right.

    --
    "Sufferin' succotash."
  8. Re:Is this really that bad? by jZnat · · Score: 2, Interesting

    Your mentioning of Firefox made me think of how boring it is for a Mozilla dev to go back and even look at the 1.0 Aviary branch let alone patch it for some random "security vulnerability" that was fixed ages ago on the pre-1.5 branch. Microsoft is usually working on their new products, and going back to continue working on severely outdated branches to fix a few problems can sometimes feel like a waste of time the closer you get to launching the next big version. I guess the big difference here is that Microsoft isn't going to be offering free upgrades to Vista for current 2000/XP users, so they have a much larger need to go back and continue fixing up old branches in order to continue support for the old versions.

    *sigh* The annoying pitfalls of developing a massive project and randomly having to go back and fix small or large things in 10+ month old code.

    --
    'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
  9. Re:Is this really that bad? by Anonymous Coward · · Score: 1, Interesting

    Disclaimer: I work at Microsoft. Windows division, Sustained Engineering group. (The people who release the hotfixes, service packs, and so on) I'm a tester. I'm also posting anonymously for obvious reasons.

    The build team and the test team aren't on the same page. The build team always wants the test team to pass crap as "ok" so that deadlines are met. Quality doesn't matter to build, just meeting deadlines and not getting fired. I'm disappointed working in a place that falls victim to that kind of mentality, but it's a steady paycheck. Lots of people in WinSE (as it's referred to internally) feel this way... they aren't passionate about their job of "sustained engineering" and keeping the currently-released windows platforms alive, but what they are passionate about is just meeting their deadlines and simply cashing their paycheck.

    Also, a significant amount of Sustained Engineering is made up of foreigners. Russian, Indian, Pakistani, Chinese, etc. Communicating with these people is always interesting. The Russians don't say "th" sounds because it isn't in their native language. "th" becomes "z" or "s" depending on the emphasis (so the word "paths" becomes "passes" when being said by a Russian. There IS a difference between "test paths" and "test passes" ...) The Indians can't pronounce a "V" to save their life. "V" becomes "wee." (very = "weery") The list goes on. This all leads to miscommunication and inefficiency, especially when you've got two non-native English speakers communicating in their own broken English with one another. I once witnessed a conversation that went on for five minutes with both people talking about a different thing using the same word but in different contexts, before I had to stop them and tell them both what the other was saying. I could imagine that something like that could lead to a developer developing an incomplete fix, because the required completeness of the fix wasn't clearly communicated.

  10. Re:Monolithic design of CSRSS is to blame here... by Foolhardy · · Score: 3, Interesting
    The problem, as far as I can see, is that CSRSS.exe, which implements some important parts of win32 (important enough for the kernel to die in sympathy if CSRSS dies), is also responsible for the menial tasks of drawing console windows.
    I think that CSR was intended to be a generic subsystem server at one point. CSR actually loads libraries that contain the work code: from HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems, Windows value
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
    This is the command line used to start csrss. Note the ServerDll= lines: csr loads basesrv, winsrv and calls entry point UserServerDllInitialization and ConServerDllInitialization. Csrss.exe is only some 6KB: the real work is done in these libraries. Back when Win32 was all in user mode (NT 3.51) winsrv.dll was 1.3MB: it's where all the GDI and USER back end code lived. There was also a call to GdiServerDllInitialization in winsrv. In NT4 winsrv.dll shrunk down to 166KB, since most of the code was moved into win32k.sys. Anyways, it looks like the console is implemented in winsrv but using the ConServer init function; it might be (or have been) possible to have CSR start another unpriviliged process that just does the console work. I bet MS could do it if they really wanted to.
  11. Re:Symptoms vs Causes by sld126 · · Score: 2, Interesting

    I think you can make Steve Ballmer say it himself: http://www.axisofstevil.com/djballmerfresh.swf

    --
    You're just jealous because the voices only talk to me.