Another Black Eye for Microsoft Patch Creation Process.



Updated: Security researchers highlight more errors in Microsoft's patch creation process and warn that the mistakes are proving costly for users.


It's being called the "story of a dumb patch."

A private security research firm has published an advisory with details on a fundamental mistake made by Microsoft Corp. that caused a security patch to ship without an adequate fix for the flaw it was meant to address.

Cesar Cerrudo, founder and CEO of Argeniss Information Security, found that the inadequate fix was included in the MS05-018 bulletin that shipped on April 12, leading to a situation where a new patch had to be created to provide comprehensive protection.
Cerrudo, a well-known researcher who specializes in application security, published technical details, here in PDF form, to explain how the original patch missed several attack vectors.

The original patch was meant to address a denial-of-service flaw on CSRSS (Client/Server Runtime Server Subsystem), the user-mode part of the Win32 subsystem.
However, when Cerrudo reverse engineered the bug to build an exploit, he found that that the vulnerability could still be exploited.

"The problem was that Microsoft didn't patch the vulnerable function; they just added some validation code before the call to the vulnerable function, but what Microsoft missed was that the vulnerable function can be reached from different paths and the validation code was added on just one of them," he said.

"[The problem] is that Microsoft only patched one path to the vulnerable function, but they forgot to do proper research to identify all the paths," Cerrudo said.
In Cerrudo's paper, he provides an analysis of the underlying vulnerability and the way Microsoft worked what he described as a "dumb fix" and noted that the company's coders eventually had to go back to the drawing board to create MS05-049, a bulletin that shipped in the October batch of patches.



More:
http://www.eweek.com/article2/0,1895,1879102,00.asp