Welcome to p2pnet.net - The original daily p2p and digital news site. Always First!
REGISTER | LOGIN
Cool Stuff
MPAA News
Games / Consoles
News
Music
Movies
Reviews
Open Source
Mobiles
Advertising
Products
P2P
Off Topic
Freedom
Politics
Interviews
Security
DRM
Links
Kids and Kartels
Scroogle Search: 
Search
 
Web p2pnet   
   Search: 
Search
Torrent Site Tracker
    Sponsored by
Frostwire
 
p2pnet
 


mp3rocket
 
Add real-time p2pnet headlines to YOUR site ! Click here to download our newsfeed code

Microsoft patch that didn’t

p2p news / p2pnet: “This paper is an advisory but mostly it describes a mistake made by Microsoft on patch MS05-018 where Microsoft failed to properly fix a vulnerability having to release a new patch MS05-049. Hopefully this paper will open the eyes to software vendors to not repeat this kind of mistakes.”

That’s the way Argentinian security expert Cesar Cerrudo, founder and ceo off Argeniss Information Security, kicks of his paper called Story of a dumb patch.

It gives a blow-by-blow breakdown of how Bill and the Boyz released a patch which supposedly fixed a DoS (denial-of-service) hole in its CSRSS (Client/Server Runtime Server Subsystem), the user-mode part of the Win32 subsystem.

Cerrudo reverse engineered the bug to write an exploit, only to find the vulnerability could still be exploited.

“The problem was that Microsoft didn’t patch the vulnerable function they just added some validation code before the call to the vulnerable function, but what Microsoft missed was that the vulnerable function can be reached from different paths and the validation code was added on just one of them,” says Cerrudo.

He gives Microsoft a pat on the back for “improvements on all aspects of security over the last years,” but thinks the company “still needs some fine tunning on the patching process” to avoid making this kind of mistake.

But, he adds, “Microsoft is 1000% better than Oracle at handling and patching vulnerabilities”.

Go here for .pdf with all the gruesome details ; )

Something you think we should know? tips[at]p2pnet.net

This entry was posted on Saturday, October 29th, 2005 at 2:44 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 2119 times

« previous
next »

2 Responses to “Microsoft patch that didn’t”

  1. Reader's Write Says:
    October 31st, 2005 at 8:58 am

    Billy n da boyz should take a leaf out of apples book, admit defeat, and base their next OS on a linux distro. At least they’d be starting with more stable foundations than the current versions of windows.

    I’d recommend they use wine and winex as well. With ms’s resources devoted to it, backwards compatibility for games wouldn’t be an issue. Well, no more than it is at the moment. Just try running most 95 based games on a modern pc. Heck i’ve seen games refuse to install because i’ve had too much space free on the drive!

  2. Reader's Write Says:
    November 3rd, 2005 at 10:53 pm

    Admit defeat? did they loose? what stuff are you smoking? ;-) Where did you read that OSX is more populair then XP?

    Apple OS X is really not better. From a technical point of view they should not license a stone age unix based linux-like core but a more hyper modern OS like BEOS. At least XP is based on pure MS code. Build in only +- 15 years

Leave a Reply

ONLY items referencing the post at hand, please. No links to personal sites, no personal attacks, trolling, freebie advertising, or off-topic posts. Thanks. And Cheers!

    Sponsored by
tek savvy