The Story of a Microsoft Patch

buckethead writes "eWeek is running a story about a security patch from Microsoft that failed to adequately address a denial-of-service flaw on CSRSS (Client/Server Runtime Server Subsystem), the user-mode part of the Win32 subsystem. It stems from a research paper from Argeniss that discusses how Microsoft only patched one path to the vulnerable function, but they forgot to do proper research to identify all the paths." From the article: "The problem was that Microsoft didn't patch the vulnerable function; they just added some validation code before the call to the vulnerable function, but what Microsoft missed was that the vulnerable function can be reached from different paths and the validation code was added on just one of them"

Re:Why didn't tehy fix it right in the first place

[Xugumad]

As a developer, there are times we'll just gloss over a security problem to get the worst of it fixed ASAP with the least risk of breaking something else in the progress (and there are also holes that I'm desperately hoping no-one finds before I have time to completely rewrite the code, and beat to death the programmer responsible for it in the first place, but that's a rant for another day).

It's possible that the first fix was just a temporary measure they knew wouldn't break anything else, while they rewrote the problem function and put it through proper testing. On the other hand, this is Microsoft, so I may be being overgenerous here...