p2p news / p2pnet: “This paper is an advisory but mostly it describes a mistake made by Microsoft on patch MS05-018 where Microsoft failed to properly fix a vulnerability having to release a new patch MS05-049. Hopefully this paper will open the eyes to software vendors to not repeat this kind of mistakes.”
That’s the way Argentinian security expert Cesar Cerrudo, founder and ceo off Argeniss Information Security, kicks of his paper called Story of a dumb patch.
It gives a blow-by-blow breakdown of how Bill and the Boyz released a patch which supposedly fixed a DoS (denial-of-service) hole in its CSRSS (Client/Server Runtime Server Subsystem), the user-mode part of the Win32 subsystem.
Cerrudo reverse engineered the bug to write an exploit, only to find the vulnerability could still be exploited.
“The problem was that Microsoft didn’t patch the vulnerable function they just added some validation code before the call to the vulnerable function, but what Microsoft missed was that the vulnerable function can be reached from different paths and the validation code was added on just one of them,” says Cerrudo.
He gives Microsoft a pat on the back for “improvements on all aspects of security over the last years,” but thinks the company “still needs some fine tunning on the patching process” to avoid making this kind of mistake.
But, he adds, “Microsoft is 1000% better than Oracle at handling and patching vulnerabilities”.
Go here for .pdf with all the gruesome details ; )
Something you think we should know? tips[at]p2pnet.net