UPDATE: There's a Slashdot thread on this issue.
Also, Cesar e-mailed me the following to counter Microsoft's response/explanation which was included in in my coverage:
Hi Ryan,
Just one thing to clarify Microsoft comments, because it seems they tried to add doubts and to discredit me:
Patch MS05-049 addresses three vulnerabilities:
Shell Vulnerability- CAN-2005-2122
Shell Vulnerability - CAN-2005-2118
Web View Script Injection Vulnerability - CAN-2005-2117
Shell Vulnerability- CAN-2005-2122 is the one on patch MS05-049 that was improperly fixed on previous patch MS05-018, named CSRSS Vulnerability - CAN-2005-0551 on patch MS05-018.
If you have any doubts you can contact serious third parties, I bet they will confirm my findings.
Thanks.
Cesar Cerrudo,
CEO & Founder.
Argeniss - Information Security
UPDATE 2: On the MSRC Blog, Stephen Toulouse has addressed this story in a candid way:
"Yes MS05-049 was a more complete fix. There’s no two ways about it. Should MS05-018 have been a more complete update to address the underlying vulnerable function? Yes, Cesar is right. But I want to reiterate that MS05-018 did protect against the issue that was brought to us. We don’t want people to worry that there was a problem with MS05-018 or that it didn’t protect against that the specific vulnerability it was designed to address...
[W]e’ve taken a look at this situation and incorporated some lessons learned. We will work very hard to help ensure something like this doesn’t happen in the future."
A correction for Toulouse: It was Cesar himself who called it a dumb patch, not "some people."
