Researcher Details More Microsoft Patch Missteps

The goof, claimed security researcher Cesar Cerrudo, chief executive of Argeniss Information Security, forced Microsoft to release another security bulletin in October.

Cerrudo published his paper, "Story of a dumb patch," with details of how Microsoft slapped a Band-Aid on a bug rather than really plug the vulnerability outlined in MS05-018, one of eight bulletins issued in April.

MS05-018 actually dealt with four different vulnerabilities in Windows 2000, Windows XP, and Windows Server 2003. Cerrudo focused on the Client Server Runtime System (CSRSS) bug, which was ranked as "Important" -- the second-highest in Microsoft's four-step scheme -- because an attacker needed local access to a PC.

Cerrudo noted that Microsoft didn't completely close off all possible exploits.

Sponsored post

"The problem was that Microsoft didn't patch the vulnerable function they just added some validation code before the call to the vulnerable function," he said. "But what Microsoft missed was that the vulnerable function can be reached from different paths and the validation code was added on just one of them."

Cerrudo found the still-open attack routes after he reverse-engineered the bug to build an exploit, a common technique that both researchers and hackers use to take advantage of newly-disclosed vulnerabilities in Windows.

"Microsoft forgot to do proper research to identify all the paths," Cerrudo said.

Only in October, Cerrudo said, did Microsoft finally shut the door with the release of the MS05-049 security bulletin. "This [MS05-049] fix is good but Microsoft should have done it in [the] first patch," he wrote.

"Microsoft still needs some fine tuning on the patching process in order to avoid this kind of mistake," he concluded.

Patch problems have become rife at Microsoft. In October, the company needed to clarify or reissue two bulletins rolled out earlier in the month.

Microsoft did not refute Cerrudo's claim -- in a brief statement, the company even thanked him for "working with Microsoft to protect our customers" -- but neither would it confirm it.

Instead, a spokesperson said that the two bulletins, April's MS05-018 and October's MS5-049, both address vulnerabilities in CSRSS. "MS05-049 addresses a new vulnerability that was not addressed as part of MS05-018," she said. "MS05-018 helps protect against the vulnerability that is discussed in that bulletin, but does not address this new vulnerability.

"Microsoft continues to encourage customers to download both MS05-018 and MS05-049," the spokesperson added.