Thursday, October 27, 2005

Story of a Dumb Microsoft Patch

Cesar Cerrudo tells the Story of a Dumb Patch (PDF) from Microsoft. Dana Epps called it a Microsoft screw up and makes an important recommendation for dealing with data coming into a function.

UPDATE: There's a Slashdot thread on this issue.

Also, Cesar e-mailed me the following to counter Microsoft's response/explanation which was included in in my coverage:

Hi Ryan,

Just one thing to clarify Microsoft comments, because it seems they tried to add doubts and to discredit me:

Patch MS05-049 addresses three vulnerabilities:
Shell Vulnerability- CAN-2005-2122
Shell Vulnerability - CAN-2005-2118
Web View Script Injection Vulnerability - CAN-2005-2117

Shell Vulnerability- CAN-2005-2122 is the one on patch MS05-049 that was improperly fixed on previous patch MS05-018, named CSRSS Vulnerability - CAN-2005-0551 on patch MS05-018.

If you have any doubts you can contact serious third parties, I bet they will confirm my findings.


Cesar Cerrudo,
CEO & Founder.
Argeniss - Information Security

UPDATE 2: On the MSRC Blog, Stephen Toulouse has addressed this story in a candid way:

"Yes MS05-049 was a more complete fix. There’s no two ways about it. Should MS05-018 have been a more complete update to address the underlying vulnerable function? Yes, Cesar is right. But I want to reiterate that MS05-018 did protect against the issue that was brought to us. We don’t want people to worry that there was a problem with MS05-018 or that it didn’t protect against that the specific vulnerability it was designed to address...

[W]e’ve taken a look at this situation and incorporated some lessons learned. We will work very hard to help ensure something like this doesn’t happen in the future."

A correction for Toulouse: It was Cesar himself who called it a dumb patch, not "some people."