Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Story of a Microsoft Patch

Posted by Zonk on from the live-and-learn dept.

buckethead writes "eWeek is running a story about a security patch from Microsoft that failed to adequately address a denial-of-service flaw on CSRSS (Client/Server Runtime Server Subsystem), the user-mode part of the Win32 subsystem. It stems from a research paper from Argeniss that discusses how Microsoft only patched one path to the vulnerable function, but they forgot to do proper research to identify all the paths." From the article: "The problem was that Microsoft didn't patch the vulnerable function; they just added some validation code before the call to the vulnerable function, but what Microsoft missed was that the vulnerable function can be reached from different paths and the validation code was added on just one of them"

4 of 183 comments (clear)

  1. Conspiracy by gcnaddict · · Score: -1, Troll

    They probably left it open so that they could DDOS Google with 95% of the world's computers

    Well its too bad they couldnt cover up their intentions a little bit better.

    --
    Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
  2. Re:wait a second open sores fanboys by Anonymous Coward · · Score: -1, Troll

    Simmer down fanboy. I think you've been dicking around with your Linux Kernel far enough for tonight. Go to sleep before your parents catch you up again like last weekend.

  3. Frequent Patching by man2525 · · Score: 1, Troll

    I attended a data security meeting held at the university where I work. We had a guest speaker from Microsoft who spoke on the subject of security. Microsoft is attempting to release security patches more often because their patches are being reverse-engineered in under two hours. The speaker also mentioned that an organization needs to respond to security threats in a more agile manner. On a side note, Microsoft is using agile software practices. Is it possible that they have misunderstood the agile mantra of good enough software?

  4. Re:It's no wonder... by Anonymous Coward · · Score: -1, Troll

    "OMG, M$ has fucked up again, quick, post it on /. and let's show the world that WinDoze (LOL!!1) sucks and that Linux rules! (Oh, and don't forget to make a corny joke about it.)" - M$-hating Linux Zealot

    Can we get over it already? Let's face it: the main - not to say *only* - reason why it was posted on Slashdot was - *again* and *as usual* - not to inform people about something but to be able to write another article that starts with "Microsoft failed to...". Great going guys, really. (I expected this kind of childish behaviour to diminish over the years, but hey, this is Slashdot, so the chances of that happening are virtually non-existent.)