Update: Microsoft fixes faulty Internet Explorer patch

By Dennis Fisher, News Director 24 Aug 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The Internet Explorer patch that Microsoft released earlier this month not only caused the browser to crash on many machines, but also produced an exploitable condition in IE that is currently unpatched.

The Internet Explorer heap overflow vulnerability enables an attacker to gain control of a PC by enticing users to click on a malicious link in an email or visit a malicious Web site. The flaw is exploitable on machines that are running IE 6 with Service Pack 1 (SP1) installed and is only an issue on sites that use compression, said Marc Maiffret, chief hacking officer at eEye Digital Security Inc. in Aliso Viejo, Calif.

Microsoft, of Redmond, Wash., had acknowledged that the original MS06-042 patch causes IE to crash on some machines, and late Tuesday informed customers that the condition can be exploited.

However, a Microsoft spokesman said the company abandoned plans to release a new patch on Tuesday because of issues discovered during the testing process. The company did however post an advisory on its TechNet site notifying customers that the patch would be delayed.

The advisory said the Microsoft was "aggressively investigating" the reports but did not say when the new fix might be available for customers.

Maiffret said that eEye informed Microsoft on Aug. 17 about the exploitable condition, and he said other research companies have notified Microsoft of the problem as well. A day earlier, Microsoft posted a message about the crashes on the Microsoft Security Response Center blog and subsequently created a Knowledge Base article, providing customers with a link through which they can request a hotfix from Microsoft Product Support Services.

Maiffret criticized Microsoft for not providing its customers with more timely information.

"The thing that's crazy to me is that they either knowingly left people vulnerable or just blew it," Maiffret said. "You know the bad guys saw this like anybody else. [Microsoft hasn't] warned anybody. [The vulnerability] is pretty easy to find."

eEye published an advisory about the problem Tuesday.

The original MS06-042 fix is a cumulative update for IE that includes patches for eight separate flaws. Microsoft and other experts had recommend that users install the original fix until the updated one is available.

Tags: Security Patch Management,  Information Security Policies, Procedures and Guidelines,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Adobe fixes critical Shockwave Flash Player flaw Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates Adobe issues first quarterly patch release fixing 13 flaws Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Adobe shifts to Microsoft patching process, incident response plan Software delivery could fix software patching issues Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw Firefox update addresses several security flaws Information Security Policies, Procedures and Guidelines Twitter risks, Facebook threats trouble security pros Cybersecurity czar candidate questions clout of new position Incident response planning The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Risk management must include physical-logical security convergence DHS fills National Cybersecurity Center post New partnerships, creative thinking help security bust recession Experts optimistic of Obama cybersecurity plan Web Browser Security Security researchers develop browser-based darknet Microsoft cracks down on click fraud ring Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates IT pros can detect, prevent website vulnerabilities, thwart attacks Stolen FTP credentials likely in massive website attacks Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits Google study backs browser silent auto update feature Firefox update addresses several security flaws Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary