Microsoft's 'dumb' patch
Microsoft released a "dumb fix" in April and made right with a patch released in October, according to Cesar Cerrudo, CEO at information security services company Argeniss in Argentina.
In a recent paper published on his company's Web site, Cerrudo said that "Microsoft failed to properly fix a vulnerability" and had to release a new patch. "Hopefully this paper will open the eyes to software vendors to not repeat this kind of mistakes," Cerrudo wrote.
"The problem was that Microsoft didn't patch the vulnerable function, they just added some validation code before the call to the vulnerable function," he wrote. "What Microsoft missed was that the vulnerable function can be reached from different paths and the validation code was added on just one of them."
The April patch was to address a stack overflow vulnerability on Client/Server Runtime Server Subsystem (CSRSS) in Windows.
Microsoft acknowledges the error. "Yes MS05-049 was a more complete fix. There's no two ways about it," Program Manager Stephen Toulouse wrote Monday on the Microsoft Security Response Center blog.
"Should MS05-018 have been a more complete update to address the underlying vulnerable function? Yes, Cesar is right. But I want to reiterate that MS05-018 did protect against the issue that was brought to us," Toulouse wrote.
"We've taken a look at this situation and incorporated some lessons learned. We will work very hard to help ensure something like this doesn't happen in the future," Toulouse wrote.