Gorenc was critical of Microsoft's omission four years ago. "Considering the number of eyes that have looked at that code and the patch, it's surprising that it actually existed," Gorenc said. "It proves that they're not analyzing the patches as much as we thought."
He also noted that exploits were able to sidestep Windows' defenses, including ASLR (address space layout randomization). "It's definitely interesting to see that researchers [like Heerklotz] are interested in looking for arbitrary code execution where memory corruption defenses in Windows are ineffective," Gorenc said in an interview. "All you have to do is browse to a folder on a malicious site and you'll execute code. It's a very silent way to get into a system."
Microsoft said it had no evidence that Heerklotz's findings had been used in actual attacks. "When this security bulletin was originally issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers," the MS15-020 bulletin said.
While Gorenc had no proof to the contrary, he implied that others — including cyber criminals — may also have dug into the 2010 patch, possibly long ago. "Clearly, people have been looking at the code base and looking for ways to bypass the validation check," he said of the original fix's approach. "It's hard to believe that it went undiscovered until now."
All supported versions of Windows, from Windows Server 2003 — which will be retired in July — to the latest Windows 8.1, contained the errant patch, and so must be re-patched with yesterday's update.
Gorenc confirmed that MS15-020 plugged the hole Heerklotz found, at least in the versions of Windows that ZDI was able to check. Because Microsoft no longer issues public patches for Windows XP — it dropped off the support list in April 2014 — but does provide critical updates to corporate customers who have paid for custom post-retirement support, his team was unable to verify the efficacy of any XP fix.
Windows XP did receive the 2010 update — designated as MS10-046 — and is virtually guaranteed to have the flaw discovered by Heerklotz.
The silver lining in this, Gorenc said, is that researchers were taking second, third and maybe even more looks at Microsoft's patches. "But it's a pretty amazing find," he said.
Microsoft did not immediately reply to questions today, including how the flaw had been overlooked earlier.
Sign up for CIO Asia eNewsletters.