MS06-015 Fiasco, Chapter Three

MS06-015 is an example of exactly how wrong security at Microsoft can go. The company paid lip service to publicly disclosed vulnerabilities and released a badly-broken patch. Worse still, the (sleeping?) powers that be at Microsoft have come to this enlightened conclusion:

Specifically, after extensive investigation, we’ve found that it’s not feasible to make the extensive changes necessary to Windows Explorer on these older versions of Windows [98 and Millennium] to eliminate the vulnerability.

This is because during the development of Windows 2000, we made significant enhancements to the underlying architecture of Windows Explorer. The Windows Explorer architecture on these older versions of Windows is much less robust than the more recent Windows architectures.

So… Windows 98 and Windows Me users, you’re not getting a patch. Even the “Critical patches only” support is apparently just advisory. If it’s just too hard to produce a patch for you, you won’t get one. This should sound familiar: Microsoft has previously failed to patch remotely-exploitable vulnerabilities on supported systems. One such example was the apparently devastating architectural complexity of (not) patching a null pointer dereference in Windows NT 4.0′s RPC Endpoint Mapper in 2003.

Then there’s this earth-shattering revelation:

Due to these fundamental differences, these changes would require reengineering a significant amount of a critical core component of the operating system. After such a reengineering effort, there would be no assurance that applications designed to run on these platforms would continue to operate on the updated system.

“No assurance that applications designed to run on these platforms would continue to operate on the updated system.”

Gee, that sounds familiar. Oh yeah… that described Windows 2000 and Windows XP after they were patched against MS06-015. Perhaps Microsoft thinks it is doing 98/Me customers a favor by giving them one more reason to upgrade and by not turning loose this hack of a security patch on their already fragile systems. They’re probably right, if they do.

The first step is recognizing you have a problem, and this is indeed a positive step… Microsoft is admitting that some of its software is so poorly engineered as to be beyond hope of repair. We wondered when they’d notice.