August 22, 2006 5:41 PM PDT

IE patch carries security bug

There's more trouble with Microsoft's latest Internet Explorer patch: It introduces a serious new security flaw on some Windows systems.

The vulnerability could let miscreants hijack a Windows PC running IE 6 with Service Pack 1 and the MS06-042 update installed, Microsoft said in a security advisory published on Tuesday. The flaw lies in the way IE handles long Web addresses and could be exploited by luring users to specially crafted Web sites, according to the advisory.

"An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system," Microsoft said in its advisory. "We are not aware of attacks that try to use the reported vulnerability."

Microsoft released the MS06-042 security update on Aug. 8 as part of its monthly patch cycle. The update, deemed "critical" by Microsoft, addresses eight flaws in the ubiquitous browser. It is one of a dozen security updates that Microsoft released this month on Patch Tuesday.

The company planned to release a new version of the MS06-042 update on Tuesday to fix a problem with browser crashes reported by some users after installing the original fix. That crash, it turns out, is the result of a "buffer overrun" flaw introduced by the security update, Microsoft said. The flaw could be exploited by cyberattackers.

Further compounding the troubles with the IE patch, Microsoft postponed the release of the updated fix at the eleventh hour because of an undisclosed problem discovered during testing, Stephen Toulouse, a Microsoft Security Response program manager, wrote on a corporate blog Tuesday.

"Providing the update in its current state would have resulted in customers being unable to deploy the update," Toulouse wrote, adding that the issue was discovered late Monday night.

As a result, users of IE 6.0 with SP1 are vulnerable to cyberattack regardless of their patching status. Microsoft advises users to install the patch and to disable the use of Hypertext Transfer Protocol (HTTP) version 1.1 in the browser.

The security issue does not impact other versions of IE, such as the version in Windows XP with SP2 or on Windows Server 2003, Microsoft said.

This is not the only patch Microsoft issued this month that is causing trouble. On Thursday, the company released a "hotfix" for a fault in security patch MS06-040. The fix addresses the problem of programs failing if they request one gigabyte or more of information on a patched system.

An update to the MS06-042 update is still in the works, but Microsoft could not say when it would be ready.

See more CNET content tagged:
Stephen Toulouse, security bug, security update, flaw, vulnerability


Join the conversation!
Add your comment
Whats new?
Posted by 8ball629 (80 comments )
Reply Link Flag
really need to say anything.. I mean.. come on. How much can the
lemmings take before they figure out that their ship is sinking....
Posted by Jesus#2 (127 comments )
Reply Link Flag
Is it just me?
Or does this same "IE has a security bug" story show up about every
six weeks.
Posted by rcrusoe (1305 comments )
Reply Link Flag
No, it's not you. Cnet reports tech news... as much as they can. This is the second article concerning this same bug. Since I do not run IE 6 or have programs calling over 1 GB of memory (more than what my PC has), I'm not too concerned. These bugs will only affect a very small percentage of windows users, but it is still tech news and cnet has the right to report it.
Posted by Seaspray0 (9714 comments )
Link Flag
I predict
Vista will be delayed to 2008!
Posted by paulsecic (298 comments )
Link Flag
Update your freaking system
Only affects those that are still running SP1 ...

You deserve it.
Posted by KsprayDad (375 comments )
Reply Link Flag
Only affects those that are still running Winblows - you deserve it.
Posted by Dalkorian (3000 comments )
Link Flag
n3td3v Don't talk to wall. People need to think not to be told what to do
Who ever saw the mess with Windows after 2003 Blaster debacle, should had come to the conclusion, that we had a real problem and arrived to the following conclusions.

There was no use going back to Microsoft to solve the problems a Lemon is alwasys a Lemon and you won't get an orange out of a lemon.

Symantech is out for profits and will profit out of our ignorance, fear is excellent to control human behaivor and buying out of fear is the best seller of all.

If people don't see that they need an alternative to Windows, don't worry, they'll pay the price, you can use Linux and have no problems, I have 10 machines and 15 extra hard drives and I test almost every version of Linux as soon as they come out of oven, just to know my best choices. All this thanks to Windows. If Windows had worked perfect out of the box, I would never got into all this testing and experimenting with Linux that I enjoy very much.

Microsoft is only partially responsible, people want their Windows, I have spent hours talking and
showing friends the benefits of Linux no one has crossed the line, only one is keeping a copy and told me that if one day his XP goes kaput he will try Linux.

Personal responsability is the, you have to protect your self, if you wait for the police, it will be too late, you'll be dead. Don't even think about the court system they are sold to big layers, politicians and corporations. It is up to the consumer. The day consumers boicot Dell and HP and demand a safe OS, that will be the day.

Until I see that day, I enjoy my Linux, I don't buy any MS, Computer Assc. Symantech etc products. I don't buy computers with pre-installed Windows. No Dells and no HPs.

We have the power.... but choose not to use it we deserve Windows.
Posted by gerardogerardo80 (28 comments )
Reply Link Flag
See you need to look at it from a different perspective! When a company "X" we'll call it brings out a new something, call it"Y", then we the consumers-"Z" are supposed to automatically "KNOW" what X is talking about without any real explaination of what Y is or does and how it would do what it does. And there is the problem of how to get Y if we for some unknown reason actully want Y.
I'v heard people talk about LINUX and say BAD BADDER and BADDEST stuff about it. Now you say we ought to get it but when where and how. No explaination of that. Inerta is that Windows is already in the machines we buy (UNLESS we go Apple)which I also have in my home.No one explains how to get LINUX (where do you buy? it anyway) and replace Windows without loosing everything. Get the point,yet??
Posted by 13stones (2 comments )
Reply Link Flag
First they need to build awareness.
Linux gains ground through guerilla marketing, and that's what's
going on here. Eventually, enough people should be aware of it
that computer resellers can sell it pre-installed. The debate in
the future should be Mac or Linux, with Windows being
relagated to legacy status.

You can already see it with people switching to Mac. They're
getting the new Intel Macs secure in the knowledge that they can
boot into Windows if they really need to, but then rarely using it.
Linux will get there too, but it will take time.
Posted by Macsaresafer (802 comments )
Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.