Windows - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Windows


Another Black Eye for Microsoft Patch Creation Process



 By: Ryan Naraine
2005-10-28
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Windows story.


Rate This Article:
Poor Best
Updated: Security researchers highlight more errors in Microsoft's patch creation process and warn that the mistakes are proving costly for users.

Its being called the "story of a dumb patch."

A private security research firm has published an advisory with details on a fundamental mistake made by Microsoft Corp. that caused a security patch to ship without an adequate fix for the flaw it was meant to address.

Cesar Cerrudo, founder and CEO of Argeniss Information Security, found that the inadequate fix was included in the MS05-018 bulletin that shipped on April 12, leading to a situation where a new patch had to be created to provide comprehensive protection.

Cerrudo, a well-known researcher who specializes in application security, published technical details, here in PDF form, to explain how the original patch missed several attack vectors.

The original patch was meant to address a denial-of-service flaw on CSRSS (Client/Server Runtime Server Subsystem), the user-mode part of the Win32 subsystem.

However, when Cerrudo reverse engineered the bug to build an exploit, he found that that the vulnerability could still be exploited.

"The problem was that Microsoft didnt patch the vulnerable function; they just added some validation code before the call to the vulnerable function, but what Microsoft missed was that the vulnerable function can be reached from different paths and the validation code was added on just one of them," he said.

Resource Library:

Click here to read more about patch quality concerns.

"[The problem] is that Microsoft only patched one path to the vulnerable function, but they forgot to do proper research to identify all the paths," Cerrudo said.

In Cerrudos paper, he provides an analysis of the underlying vulnerability and the way Microsoft worked what he described as a "dumb fix" and noted that the companys coders eventually had to go back to the drawing board to create MS05-049, a bulletin that shipped in the October batch of patches.

Read more here about a Microsoft patch that didnt plug the vulnerability it was designed to fix.

"[This MS05-049] fix is good, but Microsoft should have done it in the first patch," Cerrudo added.

"Microsoft failed to build a good fix, thus losing a lot of money and time," he said, noting that the time and resource costs are also borne by end users who had to apply two patches instead of one.

"I personally have seen Microsoft improvements on all aspects of security over the last years, but I think that Microsoft still needs some fine tuning on the patching process in order to avoid this kind of mistakes."

"The moral of the story: Always patch the vulnerable function or at least patch all paths to vulnerable function," he added.

The poor quality of the software giants patches has been a major black eye for the MSRC (Microsoft Security Response Center), the unit at Redmond that coordinates the software update process.

To read more about Microsoft pulling its Internet Explorer patches, click here.

The company has invested heavily on improving the security response process, recruiting external patch testers and has implemented several new widely hailed initiatives, but patch quality remains a major nightmare.

Bulletin revisions to fix problematic patches have become a monthly occurrence, putting the MSRC within a rock and a hard place in the struggle to produce security fixes in a timely manner.

According to Dana Epp, a security consultant who tracks Microsofts security efforts, said the latest mistake proves that the human factor remains the "weakest link" in security.

"Even with the new secure programming paradigm at Microsoft, a recent set of patches show that the process is not perfect. Humans are fallible. Even the ones at Microsoft," Epp said in a blog entry discussing Cerrudos findings.

Epp said the specific error points to a "bigger problem" at Redmond because the company is well aware of the principles of checking string copy functions to stop buffer overflows.

"[These] principles seem to have been missed by the developers working on the patch."

Asked to respond to Cerrudos paper, a spokesperson for Microsoft said that both MS05-018 and MS05-049 address vulnerabilities that affect CSRSS, but noted that the later bulletin fixed a "new vulnerability that was not addressed as part of MS05-018."

In a brief statement, Microsoft said the original patch helps protect against the vulnerability discussed in in the MS05-018 bulletin, but the company did not address Cerrudos argument that the original patch never fully addressed the associated risks.

"MS05-049 does not replace MS05-018. Microsoft continues to encourage customers to download both MS05-018 and MS05-049, as well as all recent security updates," the spokesperson said.

Editors Note: This story was updated to include comments from Microsoft.

Check out eWEEK.coms for Microsoft and Windows news, views and analysis.



  Reader Comments: Another Black Eye for Microsoft Patch Creation Process
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Windows Articles          >>> More By Ryan Naraine
 


x}r8s;iW1ŋvI-ۚ-*Oul!m䐔muy9?߸xӅ|-`L$|Iȹ=&1(ٝ:FߧCޙ%>{&(ɑԫR]}nw2v=7v@\}@^cFD%x_'Щѩ€wɄIPް+S}L}F6\3Ѣeeb ^Pk$ȁ_ ܢ%yH}u)p}(DsXq@GH;*'x8սi/DeO^b&{By45;^70kBa50vK]K oCUVekV6^;s9ȹ3z$nPrN7w#205ARZ [XdTZ Ӂc)u8r `p)jHtGL#nK>P:x ]3~bA2xfhQTBp` F?j)y'C]tQV_սYo@ׁ>{6̳M]b6Jۄ@ظ?0}$OL"9˾,Fpf0 -sxi M-jZUQ bkG}޴ ޷L{`T3x;n>=Wʪ)J{>ʑKo5-%u`(.GםnG.;_ZAc'H H~w&LT)Jj\(LLCa:|5 P%FV4E; K`f1SdXI#/YTU![cҺ쵮鵎ۭd̲1<JEӀ Zvb!?ޙCV7'77MtqKEVHN‘,?z۾Bdu#7{ReQ oȱn>@|Ӡd0r* ?n^S;G7ۯZx۬ rƒ) tK3;nZK=0[=RFp&\ Дaǘذ 1"%iJqOO XRU>hI"A[fT}O%ތE z%Ku}7pCKizlNTVʒ0Wb{g(EށI|:&ݫe.ZnS3G#вnZs榣V)b1+%YE*@8ʍ??1m!S[ö@ .S3+qL>CZG>/=Sji}vi(|I}Ѧޣ83}81 @ LNa 8V83 uCuәݰ=Wԇ9[i50CGE 6]LR}l;>tHhQ0<sx0ܙ[S衟#]ѽ:?`#0.Z-{ Be^~}¢83B7}`Nt&Qc6>x??Ȝ+) XtgrGֶL/ J% jJ=SsA|5 i!3L&Ze neg HtXKnuo?Jյ݋pz1(a]hk%T?X!d[}aa6E]QZRKHD@CR)Ե ŠaY^`(ytM̆Т𧖴&nw߱}|sö V/U OLYZsX)Z%R{5>k断,0!.(2n( ,قrij68:X麞~o푛ر3 l0Tϣ(a!w1 ) >Aװ DؚZU{gm1Jha˸>q,?XĞ]FCǚO]Sa.HMw.jFd>n'L[aHz>cTfha82-|O=ݝtlZB_ua /Ƥ'I?րH{A2,exY΁5mIr 'jY$ Ei.0Y$pFS-cD[OS[T'/ł4Ye f,AS dVBS{ZYUKZTp~W`qϏxO?"5t8x_8݉񦗟QoN*>kSMK\s>#]\aQaƖ4FXXH]M;H̎OƚR*%)ϐPc0](*h3saztܛy`dEN]CxPlW1pv~ 9(k58ΓuO#%cClȂu!WMUm~!,n`{]0>AG5h0qH&{3E689 c"uW:gKjZSZ+::>j9g+ӥ ,ǡ]F5}-tq]U*jAe߯Y+^> (Lt0Ȁ%=Gl3۩p>tV}P@K&nƚ637}&-no^{_x#˙yrN/dZIp|avKrekH˷"gfso鸙 y@<sUJ _ b&T~\yy خiϼV:>e6e'}VFpaqgP\&ȫ"m>s5ѻMsls Kq3`9S"象mBt`#jZ,lֳ>A>qHlw\Oħ`T0΁MO0=@" c]f.k}Yyq8u#im}SU>ה*eƬɢ(Ъ#iB/%9bvv$Me"[ pe l&SbR/փ `Aa`"U!TQ>cO7(~ (zC9km^>RTS(.>J&#UX)TԒP?YTAte縠CEZ`ЯxLl5AKfl!/`.R(S/ZfD]R/)3nQ/ ~egm>Q?PGІ&7 u5Yx\YsXҌd;zX^5uH"HVVjM`ӪV$,: 7C{d,-BGI}7\&I'sSf﹮ ``OnΏ;ܝ׍>0FIΝ rQӊ5JR#00 pĵ) rA-푡GYdQ.|aR)*`W$ɠK= j ;!(|{W !&6ǷWXOdK!O7ƒ"'! M+53,`jBU\ό&нݽ]VUv$BQ`о(&[w,OɪO@T #N;?J䏝nǽ}R>I'4/_?ٿt۽vr00VG߫%a_KKxiïR}R: jtz|y,/-~61z˾NIM$(Xq4qs'^Y{{<>n_Jmu #8-odD4|u.iR|Is޹Gy%%{u[j܉}䄬W!y[FSLo2XGZ[=ֈ4×FD!B2.5g ^|%V}Xq!slP֢ܟ]?vV  c@JA=Vo8nwΛ_#i%LB( `E/Щ c~HFrI'zRG>egǭu3_f~ Rt4zUrwۿPעo1Mr!}J_cNf4~ P=8,rh%縵vq a~:)}B-N9˙~@Ҽ"7,o =%E:_Z7db#N M5W"v=O?G0 cd9a(1|$-zdeaCݒ:p<5 :)!OO|Nhk'I^VR6T$4%!44QLNbC]F+C7g ҽj^nNpVHpo6_xvIt%yx42k85(^yNHnaJiIgԢᬖ^}+ ɏh8=Na.쓳Z;GNZ"6GHD91uv;2x;zZ1 ݮpne9jo{t~zv`蚳)o. L[ıwp߆؉ ?O*yr osל8{JnL<:㪏U3d]yE<.ďg%㇆3MQL#ryuM_{ga WO$ t{Dw{.|ʜ(=}![3zxyupFΛ۽[ue'3w)t>Niamǡ8 0Nt,4P$yUZ/WU $]ve%FtZx@2&n]%3 =яki^x̠t4l>;g{f1vnw P E.=]bwQ;]xŞwYiIU.J\-"PnGZZ|>W%0.ց-O"JHiyM-ok5G3?pF9H0gA , x@O= Hokc[1MP)Ӕ_q!/L-uMC*}WPF d "B8x6-%)T^o<"A;Y231dK }!DhE2vdY][Q⺪*X2J|X1 {{{{_#\*X%cXl݇6.a|$zM(&Ŝ+2}ri~h/nAjnx5"⭥(72\#^G*l8F0Z:rv$7:@Ά4Y{cm߁tLYg[O6=0xaH s[o/HuHƓ_ݐ^ה'u'I4bz3vh WH읷612Qjdo8t/KkM;#;fS Pf0 +\yo`E :$ q~u@2nK@h^ZhD3^ސ^E 6/q&>'?o&s3ͥ&h+lDUZ]KV jm G)v! yky_d!-7/33"tl@:vlǟy @0uB`=!F &gNt]وB@$ (l)c6¼ F<ݧR79Q͓NZ<%#00"< hzCV\ sGV35v65=IHc+}ϞϝӯR7 ?ş zK6*㲩)p]-Ob-po3_M]yԿ!f0mD^T{mX9$Gk3u#{A-[o&6௶aul:/i=uaYmZۈYޣS.3{Ur{ZZJ ne86|66؂_? ZRˬk[$I3Ʊ+}c8ET2̭,)XdfVÌ$myAv|woױw1 Rpx@QF髙H#Xݷ8a6>̫A״d=I^F ؋FP ђ,#Ћ' 5d_).+S}9lo9x^㌠ٿggI^S`܀7R*ZWq5EZP?5 ӐtpC(u[pl~RW~k?A* nO2H#bG4[8S\0kL]o0q_7nm7L=GNt ɜvpNxK)LI|5A$㷈%D#ঀع~x U;@e(=g#:ZYݵfk⟊Z-34r䏅B7o ׭.qH e _M BaqD0‡ƕqa BX?D&}8]SDpvTr@Ym2}#1v%1h}PR #%1W-{=c8vggc0RG5Śx KDnr59"@Ÿ Rxc) +hx-B,txLzm/-Iyo[K 6qN"F dѴËB.]sI 1*JM]-OQ/ ]ZX,:~eL<^^AF3 i/썦"r\IA$TG+RM1.ȏ|^ca:k6j=!`58?إ\n&G,m'hzBRKo^3C'ܬDM$n߮dNx[EG8ac\]"=y mlMᗚk:烔KpʭBף:F̹O$JMD0V 2; JI-ju9䫚RѪEU8ygm#9K.1XXeec=Hmy1~RI+-ݳD K5x#0SLtxZڊBLkBx&8f3 |}P.[˜ozpWӸƙ+6jSݞIǗzWDm#i!g1t:Ü3eh&v*1&J)tg|1K9v|TEu# h%g/?̊ےVo4Jۅ]aiJ %&099m6=a l_ҡ4 ?R)!o$:*<9`VŘ7Z]U!TQ..ZrBGh%=Qd.ROc+ӘP0C c  Ą)bUfwܠ~z*ڟOye^n3nZU}NGȚXW/J ݴXZ;C=ʇt Mx77+ SxC7+({ʞޓ_i?<}}A6ژy빟iF$Yc r'ǯy\Ix#O)׀BU"Ba=X *>IoHH$H]U# `xJ(Fņ?4u=oz.zxX2 LG>Xț`@S0`$  'lI<R+/wfA-=N|VZ؟ 0n"75|$rkqC9Ҕr?뭛Oח]0/}~f6L- DĤ"c*41GJ[!}s uˤZ 45`BRA~9xuwe~qt:70S34f;. l9 :WeO g>򽉁{0u3sRC´vxTX->>& .ycI ^yN4X+ͼ pm?݉9e/( p @Ka1c~PoVR$4 >+>gٕa)豪o)^ ;eeU =M蕴B^Ȉq/Yw|#&Ǡɵ7>XF+9\&9nHa}kw.asǞ} \MGݪ;G'ukj5sN.Mnp4ħyG:\#4[E9yF'(Q+Q~ ˏ͌w2ʑ{ˏǭ#(?Z_~9ɠ)4vq^_>5пvF?Ӿ(3k|fy|s_d/}/2{ȠE^^d'e_KFe Q~0{ s!?0~ׁw2?/ rqWU?wn=^X_s}/Yߗ doʁo2ڿh&s$eCP̐.Np3Kaʠ/ޯ/ydֺWWVF+p'k͠6K性H>Y݉ylߣx߅ ߊD,!| e%Hi0\n>aч^V_p3nze&Hy޿jC{6'Ku}MoNDB$p Go0d<.1Sx ;wM-=CPD MWF.h DǝӍ21vNrl VT+[-WJr 6  #Cb2jJUN-JTL3BAzG l]fJLZCO0CX)fง}Ll-F@ P1=:6Fcۨ*ۼxZT;)@18L,(nY\AbkOBfVx3yhcU 4dɮ51lkB['mƑĹ3 ,E~f&gM ؠGО#cw̒|OfMꮠW M&Dr&ߢjOG U*A[`ԠݶA1Q;|3sx Z<6Trކwr$56]$ǖ]`/2R:=bZ<0ۏb LS./'mB<#y"0~."6e|ekZ;`51lx}&[ !𜙄׆0' U/m ocD#Z#7CP<틒ՍP~o2#0' MĮ+fAj3ܴgŎ ='ݹfs( >Gr?>˹I Ǝ$z c߂93r^ ɡ=y$>},.q5sEEבE,&J ZsJdBZH><&QeY+D愽HaCm5uWezԢı"⴯Hױf986ݦjläd{«U/="2cX =`?GcAxC/Mav;MăV v,˽ 9=ASh4ϛW5EX!% 9wr\L籽$0\d~\g;cv N=Y,> V_$v{-B+π-sܼ |o,C左cS!m^Πo'b_n7eE&PL=G3RVM KwTr$nD܅{ ߠ(b<%_ *`> , CP6vo>L#c? `vwbں=Pŗ-;waSF)f'VFp)hN̂[OulÝg8G P/}{c*1|ue|n4~Uf2{M{:з 57`(Q|ӽy^Fuo/Asl+6-  `zMeFeZ:DR*,l'f , ~sfQhᥒ0r(#<[_ڵ<oc3)+owt%(5x;vOVec[$| _[0~YrJ^S.u 7tleb @J\о .mE7#D*}X^c 0У,*09G Vmx: ut+e!.0w:˟lہR#pݰ Qa[:n ۊuy˷D \7me#FP1M ?&Il} ralX ^|޹+o=Љe6{0^l,eH&}+qd.GDI qk.-wvua4,Lb9"[^QI(VжX3e3}"@a)5dBLN7 Qo 3pRaL ,b[иgvC{%z1~X0~v1/渲Y)>ٔe5rŤ3a=`>^}]x O0gWPR X -f1%IDb88)ҡCAȚBTfƲ 7cP.Xd-'oB@:S .xBG,?ɋ|P byx ^ŧ$AS?|T+O + SSq}=o-݉7{,sٓN<6t[<; Ootۿ{hT*ቋoZӳy:>奇ͣOםϗRXBYS$Dq+ AHdcdEg_0m\}l4n_M4V*wV㛼VtƢI:6pzRSF|01{l~r)Us̥D/4^JB\qrh6