Slashdot Mirror
The Story of a Microsoft Patch
buckethead writes "eWeek is running a story about a security patch from Microsoft that failed to adequately address a denial-of-service flaw on CSRSS (Client/Server Runtime Server Subsystem), the user-mode part of the Win32 subsystem. It stems from a research paper from Argeniss that discusses how Microsoft only patched one path to the vulnerable function, but they forgot to do proper research to identify all the paths." From the article: "The problem was that Microsoft didn't patch the vulnerable function; they just added some validation code before the call to the vulnerable function, but what Microsoft missed was that the vulnerable function can be reached from different paths and the validation code was added on just one of them"
A Microsoft Microsoft patch? That's the worst kind!
The article criticizes Microsoft for not fully understanding the vulnerability, and issuing an incomplete patch.
I understand that in a best case scenario, a vendor should release a 100% effective patch. However, in reality, that's not always going to be the case.
Microsoft released a patch that stopped the public vulnerable attack vector. Then, once they were alerted that they didn't fix all possible vectors, they issued a new patch (albeit quite a few months later).
With the large amount of bugs and vulnerabilities that a software behemoth like Windows is going to have, is it really that unthinkable that an incomplete first-patch would be released? I'd wager that even OSS products routinely have incomplete first-patches.
From TFA:
It's being called the "story of a dumb patch."
Soon to be a 200-part epic, starring John Goodman as Steve Balmer.
Coming to a Windows Vista box near you!
Has any Windows security problem ever hurt Microsoft's stock price?
I checked MSFT a couple of times when mail-based malware was running amok, seriously enough to reach the general news media. No effect.
If that's the overall pattern when it comes to Microsoft security issues and Microsoft's business success, it goes a long way toward explaining security missteps like MS05-018. There's no direct incentive for them to master security.
org.slashdot.post.SignatureNotFoundException: ewg
Why didn't they fix the vulnerable function in the first place (is there a specific reason)? Sure, adding validation seems like a quick and valid fix, but a company the size of MS should have known in the long run, fix the function instead.
One possible reason is that changing the code to make it "safe" would have broken application compatability. I would be very surprised if this was not the reason...
This would explain why, instead of fixing the underlying problem, they chose to wrap it in validation to reduce the risk. It sounds like they did not do a complete analysis of the problem, but I think that's a method problem rather than a rundamental flaw in how they fixed it.
[...] just like pizza: do you use to pay for pizza after or before you ate it?
Usually the delivery boy won't let go of the damn box until I hand him the money.
"Live free or don't."
Is a microsoft patch anything like one of those Nicotine patches that help you stop smoking? If so I wonder if my health care will cover it. I'd like to slap one of those on asses of my co-workers and help get them off their addiction to microsoft.
I guess one might consider Linux to be sort of a methadone. Something that hels you with your cravings for the bad stuff, but ultimately leaves you without that satsifying high.
Personally I useto OSX, but I'm not addicted. I could stop anytime I want to. I just don't want to that's all. Now excuse me while I watch the Genie effect a few times before I send this.
Some drink at the fountain of knowledge. Others just gargle.