Update: Microsoft fixes faulty Internet Explorer patch

By Dennis Fisher, News Director 24 Aug 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The Internet Explorer patch that Microsoft released earlier this month not only caused the browser to crash on many machines, but also produced an exploitable condition in IE that is currently unpatched.

The Internet Explorer heap overflow vulnerability enables an attacker to gain control of a PC by enticing users to click on a malicious link in an email or visit a malicious Web site. The flaw is exploitable on machines that are running IE 6 with Service Pack 1 (SP1) installed and is only an issue on sites that use compression, said Marc Maiffret, chief hacking officer at eEye Digital Security Inc. in Aliso Viejo, Calif.

Microsoft, of Redmond, Wash., had acknowledged that the original MS06-042 patch causes IE to crash on some machines, and late Tuesday informed customers that the condition can be exploited.

However, a Microsoft spokesman said the company abandoned plans to release a new patch on Tuesday because of issues discovered during the testing process. The company did however post an advisory on its TechNet site notifying customers that the patch would be delayed.

The advisory said the Microsoft was "aggressively investigating" the reports but did not say when the new fix might be available for customers.

Maiffret said that eEye informed Microsoft on Aug. 17 about the exploitable condition, and he said other research companies have notified Microsoft of the problem as well. A day earlier, Microsoft posted a message about the crashes on the Microsoft Security Response Center blog and subsequently created a Knowledge Base article, providing customers with a link through which they can request a hotfix from Microsoft Product Support Services.

Maiffret criticized Microsoft for not providing its customers with more timely information.

"The thing that's crazy to me is that they either knowingly left people vulnerable or just blew it," Maiffret said. "You know the bad guys saw this like anybody else. [Microsoft hasn't] warned anybody. [The vulnerability] is pretty easy to find."

eEye published an advisory about the problem Tuesday.

The original MS06-042 fix is a cumulative update for IE that includes patches for eight separate flaws. Microsoft and other experts had recommend that users install the original fix until the updated one is available.

Tags: Security Patch Management,  Information Security Policies, Procedures and Guidelines,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Information Security Policies, Procedures and Guidelines Essential guide: Pandemic planning for H1N1 Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says Expert: Information security spending often restricts innovation GAO report cites government weaknesses, data leakage Web Browser Security Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology New Bahama botnet evades search engines, fuels click fraud SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary