Hi everyone, Stephen Toulouse here.
One of the security researchers that the MSRC works with, Cesar Cerrudo of Argeniss, has pointed out that update MS05-018 fixed an entry point to a vulnerable function without addressing the vulnerable function itself. Some people have called this a “dumb patch” and stated that MS05-049, where we addressed some other vulnerabilities and at the same time addressed the actual vulnerable function, was the proper fix.
Yes MS05-049 was a more complete fix. There’s no two ways about it.
Should MS05-018 have been a more complete update to address the underlying vulnerable function? Yes, Cesar is right. But I want to reiterate that MS05-018 did protect against the issue that was brought to us. We don’t want people to worry that there was a problem with MS05-018 or that it didn’t protect against that the specific vulnerability it was designed to address.
We certainly thank Cesar for working with us to protect our customers and appreciate his partnership. Again, we’ve taken a look at this situation and incorporated some lessons learned. We will work very hard to help ensure something like this doesn’t happen in the future.
*This posting is provided "AS IS" with no warranties, and confers no rights.*