Slashdot Mirror
The Story of a Microsoft Patch
buckethead writes "eWeek is running a story about a security patch from Microsoft that failed to adequately address a denial-of-service flaw on CSRSS (Client/Server Runtime Server Subsystem), the user-mode part of the Win32 subsystem. It stems from a research paper from Argeniss that discusses how Microsoft only patched one path to the vulnerable function, but they forgot to do proper research to identify all the paths." From the article: "The problem was that Microsoft didn't patch the vulnerable function; they just added some validation code before the call to the vulnerable function, but what Microsoft missed was that the vulnerable function can be reached from different paths and the validation code was added on just one of them"
I attended a data security meeting held at the university where I work. We had a guest speaker from Microsoft who spoke on the subject of security. Microsoft is attempting to release security patches more often because their patches are being reverse-engineered in under two hours. The speaker also mentioned that an organization needs to respond to security threats in a more agile manner. On a side note, Microsoft is using agile software practices. Is it possible that they have misunderstood the agile mantra of good enough software?