One of the patches released by Microsoft last week is not providing protection against the vulnerability it was meant to fix, according to a researcher who today accused Microsoft of making functionality a higher priority than security.
According to Tyler Reguly, a senior security engineer at nCircle Network Security Inc., last Tuesday’s MS09-008 update does not fix the problem for all users, many of whom may not realize that they’re still vulnerable to attack. “When you get a patch from a vendor, you expect it to provide some level of security,” said Reguly. “But MS09-008 only mitigates the problem, it doesn’t patch it.”
Read the full story [computerworld.com].
Also see nCircle’s original advisory [ncircle.com] and the reaction from Microsoft’s security response [technet.com] team.