Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Story of a Microsoft Patch

Posted by Zonk on from the live-and-learn dept.

buckethead writes "eWeek is running a story about a security patch from Microsoft that failed to adequately address a denial-of-service flaw on CSRSS (Client/Server Runtime Server Subsystem), the user-mode part of the Win32 subsystem. It stems from a research paper from Argeniss that discusses how Microsoft only patched one path to the vulnerable function, but they forgot to do proper research to identify all the paths." From the article: "The problem was that Microsoft didn't patch the vulnerable function; they just added some validation code before the call to the vulnerable function, but what Microsoft missed was that the vulnerable function can be reached from different paths and the validation code was added on just one of them"

36 of 183 comments (clear)

  1. It's no wonder... by Anonymous Coward · · Score: 5, Funny

    A Microsoft Microsoft patch? That's the worst kind!

  2. Liability by VincenzoRomano · · Score: 3, Insightful

    I'm liable for bugs in my software.
    I'm not liable if my patches fail to patch the bug.
    I'm not liable if my patches make more damages than the pathced bug.
    If I do the same in restaurant business I get jailed!
    It would be great at least a "pay after use", just like pizza: do you use to pay for pizza after or before you ate it?

    --
    Maybe Computers will never be as intelligent as Humans.
    For sure they won't ever become so stupid. [VR-1988]
    1. Re:Liability by Lillesvin · · Score: 5, Funny

      [...] just like pizza: do you use to pay for pizza after or before you ate it?

      Usually the delivery boy won't let go of the damn box until I hand him the money.

      --
      "Live free or don't."
  3. Why didn't tehy fix it right in the first place? by Barkley44 · · Score: 4, Insightful

    Why didn't they fix the vulnerable function in the first place (is there a specific reason)? Sure, adding validation seems like a quick and valid fix, but a company the size of MS should have known in the long run, fix the function instead.

    --
    KeepTrackOfIt.com - Find the lowest gas prices in your area graphically
  4. unpatchable by Anonymous Coward · · Score: 3, Interesting

    As Microsoft have "intergrated" all their api's into one core buggy OS it doesnt suprise me. Fixing the actual function would probably crash loads of others. But hey thats the microsoft way..

    Frankly it would be better if they started over again.. Look at the situation now.. even M$ themselves have to create infect a machine to track down spammers instead of fixing the root problem. Its like an aircraft with Gaffer Tape holding it together (with a paint job to make it look cool in new version of windows vXXX).. and they couldnt blame weather ..

    I also feel really sorry for m$ coders.. they have a lot of talent but they are probably in a situation where they dont want to mess with code too much as changing things will bring the whole system down.. and a lot of chair throwing.

    As Ballmer is a coder himself maybe he should join the troops in the basement and get to the fix and a steady system. Only them will users believe that Wind is a truly great system. At the moment m$ are in denial.

  5. Is this really that bad? by ebob9 · · Score: 5, Insightful

    The article criticizes Microsoft for not fully understanding the vulnerability, and issuing an incomplete patch.

    I understand that in a best case scenario, a vendor should release a 100% effective patch. However, in reality, that's not always going to be the case.

    Microsoft released a patch that stopped the public vulnerable attack vector. Then, once they were alerted that they didn't fix all possible vectors, they issued a new patch (albeit quite a few months later).

    With the large amount of bugs and vulnerabilities that a software behemoth like Windows is going to have, is it really that unthinkable that an incomplete first-patch would be released? I'd wager that even OSS products routinely have incomplete first-patches.

    1. Re:Is this really that bad? by QuietLagoon · · Score: 5, Insightful
      Yes, this is really that bad. Software development is supposed to be Microsoft's core competency. That they are not knowledgeable enough to patch the root cause instead of the symptom speaks volumes of their incompetence in their supposed core competence.

      The first question I'd now ask is what other symptoms have been patched which have left other vulnerabilities open for exploit via other attack vectors?

    2. Re:Is this really that bad? by Metroid72 · · Score: 4, Insightful

      Just to be clear from the begining: I don't disagree with you.
      Your underlying assumption is that Microsoft's core competency is software development, however, I think that's debatable. Over the years they've demostrated that they are a better Marketing company than a software development company.

      They happen to be very fast to identify consumer needs or technology trends (either by researching or copying others) and integrate them quickly in their product portfolio. I think that aggresive way to integrate new features tends to help a lot in writing bad code.

      It's not until lately, due to the size of the company and layers of bureocracy that MS is having a tough time releasing products and features to market quick enough. Since the birth of the internet they have been very reactive, but now it's taking them longer to react to the market realities and trends.

    3. Re:Is this really that bad? by SharpFang · · Score: 4, Insightful

      It's okay to release a "quick and dirty fix" immediately. Like Firefox, disabling whole feature that is vulnerable. But they shouldn't need to be told the fix isn't good. They should start working on a full, proper patch as soon as the hotfix is ready, and be aware WHAT the vulnerablity is. Put a band-aid on the bleeding wound right after the accident, okay, but then let the surgeon remove splinters and sew the skin together properly once the patient arrives at the hospital. Don't leave as-is because it's not bleeding at the moment.

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  6. Movie Deal by jettoki · · Score: 5, Funny

    From TFA:
    It's being called the "story of a dumb patch."

    Soon to be a 200-part epic, starring John Goodman as Steve Balmer.
    Coming to a Windows Vista box near you!

  7. Great... by ninja_assault_kitten · · Score: 3, Insightful

    Now we get to listen hundreds of people who's programming experience consists of 5000 lines or C/Perl/Python tell everyone what the proper process is for matching vulnerable code.

    1. Re:Great... by Taladar · · Score: 4, Insightful

      The proper process actually is not to write tightly coupled modules bigger than the size one person can know completely. It is well known by now that software development is too complicated if you write several million line programs without dividing them in a way that makes them more similar to a large number of small, separate programs.

      --
      Linux is not Windows
  8. Hey ... by b3x · · Score: 3, Funny

    At least they tried! And mommy says thats what counts.

  9. The Story of a Microsoft Patch by AthenianGadfly · · Score: 4, Funny

    The Story of a Microsoft Patch
    A Tragedy in Three Acts

  10. Security and the stock price by ewg · · Score: 5, Insightful

    Has any Windows security problem ever hurt Microsoft's stock price?

    I checked MSFT a couple of times when mail-based malware was running amok, seriously enough to reach the general news media. No effect.

    If that's the overall pattern when it comes to Microsoft security issues and Microsoft's business success, it goes a long way toward explaining security missteps like MS05-018. There's no direct incentive for them to master security.

    --
    org.slashdot.post.SignatureNotFoundException: ewg
    1. Re:Security and the stock price by HalAtWork · · Score: 3, Insightful

      People take it for granted that Windows won't work. The average person will call upon a neighbourhood geek before they talk to MS about a problem. This shows that either people aren't even thinking of blaming MS for the problems (they figure problems are actually normal!), or they have no confidence in MS in fixing the problem.

      --
      Twinstiq, game news
    2. Re:Security and the stock price by Overly+Critical+Guy · · Score: 3, Insightful

      MSFT's stock price has been flat for five years at ~$25. Maybe that's the hurt.

      --
      "Sufferin' succotash."
  11. Re:Why didn't tehy fix it right in the first place by The+Lerneaen+Hydra · · Score: 4, Insightful

    Maybe because they didn't really care about the other ways to get in, but all they cared about in this case was their image to the outer world, and thereby being able to say "See, look at us, we patch our flaws immediately".

  12. Re:Why didn't tehy fix it right in the first place by daern · · Score: 5, Informative

    Why didn't they fix the vulnerable function in the first place (is there a specific reason)? Sure, adding validation seems like a quick and valid fix, but a company the size of MS should have known in the long run, fix the function instead.

    One possible reason is that changing the code to make it "safe" would have broken application compatability. I would be very surprised if this was not the reason...

    This would explain why, instead of fixing the underlying problem, they chose to wrap it in validation to reduce the risk. It sounds like they did not do a complete analysis of the problem, but I think that's a method problem rather than a rundamental flaw in how they fixed it.

  13. Re:wait a second open sores fanboys by EasyTarget · · Score: 3, Insightful

    You can either:
    1) Give some references, or
    2) Accept the Troll moderation you are about to recieve.
    Your choice..

    --
    "Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
  14. Monolithic design of CSRSS is to blame here... by nick8325 · · Score: 4, Informative

    The problem, as far as I can see, is that CSRSS.exe, which implements some important parts of win32 (important enough for the kernel to die in sympathy if CSRSS dies), is also responsible for the menial tasks of drawing console windows.

    If the code to draw console windows were in a separate, unprivileged process, or even better a library, this bug would not be particularly exploitable. The worst DoS possible would be to prevent anyone from making console windows until the process was restarted.

    There was another console bug a few years ago, see here. Printing a few tabs and backspaces to the console would cause the machine to blue screen.

    1. Re:Monolithic design of CSRSS is to blame here... by Foolhardy · · Score: 3, Interesting
      The problem, as far as I can see, is that CSRSS.exe, which implements some important parts of win32 (important enough for the kernel to die in sympathy if CSRSS dies), is also responsible for the menial tasks of drawing console windows.
      I think that CSR was intended to be a generic subsystem server at one point. CSR actually loads libraries that contain the work code: from HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems, Windows value
      %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
      This is the command line used to start csrss. Note the ServerDll= lines: csr loads basesrv, winsrv and calls entry point UserServerDllInitialization and ConServerDllInitialization. Csrss.exe is only some 6KB: the real work is done in these libraries. Back when Win32 was all in user mode (NT 3.51) winsrv.dll was 1.3MB: it's where all the GDI and USER back end code lived. There was also a call to GdiServerDllInitialization in winsrv. In NT4 winsrv.dll shrunk down to 166KB, since most of the code was moved into win32k.sys. Anyways, it looks like the console is implemented in winsrv but using the ConServer init function; it might be (or have been) possible to have CSR start another unpriviliged process that just does the console work. I bet MS could do it if they really wanted to.
  15. As if the patch woes are not enough..., by bogaboga · · Score: 3, Interesting

    ...in my case, I have found that the total disk space consumed by Windows 2000 patches is bigger than the original Windows 2000 install itself! To make matters worse, I am now very low on disk space. I console myself by the fact that disk drives are cheaper nowadays. Whether these patches actually work as advertised is an open question, but I have my doubts though. All I see are a bunch of Hot Fix entries and nothing more.

  16. IBM isn't any better by MS · · Score: 4, Informative
    5 years ago one of my clients bought IBM Net.Commerce. While adapting the scripts to their needs, I found a vulnerability, witch exposed configuration data (passwords included) via HTTP: you simply had to add a dot to the filename to view it in the browser.

    We decided to tell IBM, and they patched it. But not fully: the same hole was still open. It was not anymoe possible to access the configuration data by appending a dot, but this time is was enough to add a "%20" to the filename or something similar.

    Instead of moving those configuration files out of the webroot!

    :-(

  17. ./sigh by AcheronHades · · Score: 3, Insightful

    A Microsoft bashing story on Slashdot??

  18. Re:Why didn't tehy fix it right in the first place by Xugumad · · Score: 4, Interesting

    As a developer, there are times we'll just gloss over a security problem to get the worst of it fixed ASAP with the least risk of breaking something else in the progress (and there are also holes that I'm desperately hoping no-one finds before I have time to completely rewrite the code, and beat to death the programmer responsible for it in the first place, but that's a rant for another day).

    It's possible that the first fix was just a temporary measure they knew wouldn't break anything else, while they rewrote the problem function and put it through proper testing. On the other hand, this is Microsoft, so I may be being overgenerous here...

  19. Binary compatibility by LaughingCoder · · Score: 3, Insightful

    Here is an example, perhaps, where FOSS has an advantage. Microsoft might not be able to fix the function because it is "in the wild" and there could be many dependent "already-compiled" applications which would/could be affected. In the FOSS world where backwards binary compatibility is not an issue, a source patch could be made available. Oftentimes the way these sorts of problems are handled by Microsoft is they roll out a new updated API, leaving the old ones in place. This obviously doesn't address the installed base of buggy code, but fixes the problem going forward - assuming they can convince the developers to adopt the new API. Unfortunately, this course of action is also not applicable to a security patch scenario. So, MS issues an imperfect patch addressing, hopefully, the most flagrant problems, and queues the function as one needing to be deprecated in a future release.

    --
    The more you regulate a company, the worse its products become.
  20. Re:Symptoms vs Causes by bcmm · · Score: 4, Insightful

    Well, is that wrong? Isn't that exactly what they did in this case?

    --
    # cat /dev/mem | strings | grep -i llama
    Damn, my RAM is full of llamas.
  21. Hey, its Micorosoft. This is what they do... by sjanes71 · · Score: 4, Insightful
    They have lots of practice at it. Practice at what? They disclaim or disable the user to death. Instead of fixing the holes, they pop a dialog window and confuse the user. "Hey, some program is accessing your address book!" "You're about to enable file or printer sharing, are you sure that you want to do that? Someoone might, uh... get some files or use your printer over the network." "You're not allowed to open attachments until you find this one little checkbox and click it before we let you open attachments, because we think you're stupid." Everyone of these little dialogs is a tiny micro-EULA that users never quite read or understand.

    This happens over and over and over again— with some users, I'm afraid to upgrade their software because their "world" sadly depends on the cargo cult execution of gestures to get their work done. Too many applications change how they look and feel with every upgrade that many users go off the rails whenever that happens. At least with an application, you can kind of avoid it, but when it's Windows— aw man, why not just fix the SECURITY HOLES instead of changing the UI? Please, Microsoft?

    Screw it [sic; I'm being polite.], I'll keep my Mac OS X for clients and Gentoo Linux for servers and any web service that doesn't suck (Gmail, Basecamp, etc.), thank you very much.

    Microsoft's days are over the moment Google decides to market an operating system that includes GFS for redundant data-storage and their MapReduce for batch processing. These things are big contributors to how its even possible for Google to exist. Simplicity trumps mediocrity.

  22. Re:Why didn't tehy fix it right in the first place by dlasley · · Score: 4, Insightful

    One must also consider the possibility that the folks doing the coding and the quality assurance (SQA) may not be the original authors of the specific branch involved, and therefore did not have the proper experience level required to do the research and make the judgement calls. With the rumored turnover Microsoft has seen lately, I wonder if this is not a possibility?

    More and more of the post-development activities (break/fix, SQA, implementation/packaging, etc.) for software are happening in little bubbles, somewhat removed from the core competency group that created the original code. We even see this touted as the right way to do things from sources that are considered to experts in the process + workflow arena (well, some folks consider them experts, anyway). When this becomes the standard operating procedure, any company runs the risk of bad patches to any kind of software: you can not limit the culpability to Microsoft.

    --
    when it rains, it gets real soggy. when it pours, i'm under the tap just _waiting_ for the joy
  23. Deja vu by HangingChad · · Score: 4, Funny
    Microsoft Microsoft only patched one path to the vulnerable function

    It's a glitch in the Matrix. It usually means they've changed something...

    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
  24. health care coverge and the patch by goombah99 · · Score: 5, Funny

    Is a microsoft patch anything like one of those Nicotine patches that help you stop smoking? If so I wonder if my health care will cover it. I'd like to slap one of those on asses of my co-workers and help get them off their addiction to microsoft.

    I guess one might consider Linux to be sort of a methadone. Something that hels you with your cravings for the bad stuff, but ultimately leaves you without that satsifying high.

    Personally I useto OSX, but I'm not addicted. I could stop anytime I want to. I just don't want to that's all. Now excuse me while I watch the Genie effect a few times before I send this.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  25. Re:Why didn't tehy fix it right in the first place by deaddrunk · · Score: 4, Insightful

    Probably goes like this:

    Coder(s): this will take two weeks to fix and test properly

    Management: you've got four hours.

    --
    Does a Christian soccer team even need a goalkeeper?
  26. Exercise by fatphuk · · Score: 3, Informative

    For those of working on any windows app, if possible, as an experiment put your app through some memory leak detection software (like Purify etc). I'm sure you'll be as shocked as I was to see how many OS level buffer overflows are happening at any given time. There's so many of them that it makes sense, from a cost perspective, why MS simply fixes the ones that matter as they come up.

  27. Translation... by Overly+Critical+Guy · · Score: 3, Insightful

    Translation: "I'm going to defend Microsoft on Slashdot to get karma (it makes you look enlightened and individual to moderators), so in an article where Microsoft was clearly caught with their pants down, I'm going to instead distract the issue by mocking the coding experience of some of the commenters, as if that has anything to do with the #1 software company in the world not getting the 'software' part right. It's kind of like telling movie reviewers who've never made a movie before that they can't criticize movies."

    --
    "Sufferin' succotash."
  28. Remember This Story by bfree · · Score: 4, Insightful

    The next time MS claims it fixes security holes faster then anyone else ...

    --

    Never underestimate the dark side of the Source